Risk assessments and threat modeling enable organizations to learn how exposed they are to a successful attack. Both approaches are important, but understanding the differences between risk assessments and threat modeling requires companies know what constitutes a risk and what constitutes a threat. And that requires a definition of vulnerability.
A security vulnerability is some form of fault, weakness or flaw in a system. It could exist within the IT infrastructure, hardware or software, or it could exist in a process, such as patching, or the manner in which a control has been implemented or deployed within a system. To exploit a vulnerability, a threat must be present. That threat could take many shapes -- for example, malware or a malicious insider -- but as long as it hinders the ability of the system to keep data safe or to work as designed, it's a threat.
To that end, vulnerabilities expose a system to threats. Risk, on the other hand, represents the potential financial loss and damage that could result if the threat takes place. The more vulnerabilities that exist in a system, the greater number of possible threats and the higher the risk.
What is a risk assessment?
Risk assessment is a critical part of risk management. These assessments, which should be performed periodically, let senior management understand the dangers they face, determine which risks are acceptable and take steps to mitigate those risks deemed the most critical.
The first step is to classify the organization's information assets -- or those assets within a chosen scope -- and determine their value. The next step is to identify risks -- the vulnerabilities and potential threats to those assets. All risks should be assessed, even those that fall outside of a direct cybersecurity breach, such as business continuity risk, equipment failure or employee skill shortages -- anything that could halt or interrupt operations.
After that information is collected, perform a risk analysis. Examine each asset to measure how exposed it is. Consider the likelihood it might be attacked and, if so, what kind of damage could occur. Prioritize the most important assets.
Now it's time for risk evaluation. With this step, senior management can implement a risk treatment plan -- appropriate to the organization and the regulatory environment in which it operates -- designed to reduce risks to an acceptable level.
Note that no two companies have the same risks or risk appetite. That said, a number of frameworks and guides are available that can help companies conduct a comprehensive risk assessment, including the following:
- NIST Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.
- NIST Special Publication 800-30 Rev. 1 Guide for Conducting Risk Assessments.
- ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection -- Guidance on managing information security risks.
- OCTAVE, The Operationally Critical Threat, Asset, and Vulnerability Evaluation Implementation Guide.
The European Union Agency for Cybersecurity also publishes a free compendium of risk management frameworks.
While a risk assessment estimates how likely a threat may endanger an asset and the extent and cost of the damage should an attack occur, it doesn't explore how threats manifest themselves or how assets can be attacked.
Risk equals probability times impact. To know the probability of an attack, you have to be aware of threats that may affect or target the asset. That's where threat modeling comes in.
What is threat modeling?
Threat modeling, like risk assessment, identifies and classifies assets, their potential vulnerabilities and threats, and prioritizes each threat. But while risk assessments only determine whether countermeasures are needed, threat modeling goes a step further and defines those countermeasures. Threat modeling "thinks like an attacker," and, as a result, focuses on the attacks that are the most likely to occur.
Understanding the tactics, techniques and procedures of adversaries enables companies to combat threats more effectively by incorporating the most appropriate countermeasures into their system architectures and codebases. The more value attackers attach to an asset, the greater lengths they will go -- the work factor -- to take control of the asset.
Companies can take advantage of a variety of cyber threat intelligence reports to determine which attackers are likely to target certain assets. These resources also highlight how these attacks may occur. Armed with this information, companies can focus on the most vulnerable assets and address the most dangerous threats.
The following are the most common stages in threat modeling:
- Establish the scope of the threat model.
- Determine the threats.
- Rank each threat.
- Select and implement mitigations -- the choices are avoid, transfer, reduce and accept.
- Document all findings and mitigation actions.
Consider this example: Accessing a user's profile (asset) requires authentication. But password authentication is subject to brute-force attacks (vulnerability) -- and plenty of cracking tools, such as THC Hydra and Ncrack, are available to hackers (threat). To ward off these types of attack, employ strong passwords and limit logins (mitigation). Multifactor authentication is another useful tool. The controls' effectiveness can be validated during penetration testing and other security reviews.
Popular threat modeling methodologies and frameworks include Damage, Reproducibility, Exploitability, Affected users, Discoverability, NIST's Guide to Data-Centric System Threat Modeling, Process of Attack Simulation and Threat Analysis, Microsoft's Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, the European Union's OCTAVE initiative and the open source Threat and Risk Identification and Knowledge-based Engineering.
A threat modeling exercise should be performed every time a new system or application is designed. It helps establish the security controls needed so that every component is built to withstand an attack.
Risk assessment vs. threat modeling
When examining risk assessment vs. threat modeling, you'll find plenty of overlap. Each is a preventative and proactive exercise that addresses potential risks. A risk assessment, however, usually embraces a larger scope than threat modeling. Risk assessments should be held periodically or whenever there is a significant change in the IT environment or threat landscape. The initial risk assessment also provides a baseline against which to monitor progress in risk reduction and the effectiveness of investments in security.
Threat modeling is more specific and detailed. A risk assessment considers possible countermeasures; threat modeling defines and implements them. Threat modeling identifies vulnerabilities, as well as potential risks and mitigation steps, by using scenarios that target system entry points and data, both at rest and in transit. One of the long-term benefits of threat modeling is fewer successful attacks, and thus fewer redesigns and updates to systems and applications to fix security flaws.
Every organization needs an information security management framework in place so it has a register of information assets and owners, a defined level of acceptable security risk and a mitigation plan that ensures risks sit within acceptable tolerance levels.
Risk assessments versus threat modeling is not an either/or. They play complementary roles and each helps organizations protect activities and projects from unacceptable risks.