To enhance the security of mobile devices, enterprises are developing and adopting mobile device management systems. However, if a mobile device management system is exploited, mobile devices and the data they contain will be compromised. Therefore, it is important to perform extensive threat modeling to develop realistic and meaningful security requirements and functionalities
One step involved in the security engineering process is threat modeling. Threat modeling involves understanding the complexity of the system and identifying all of the possible threats, regardless of whether or not they can be exploited. Proper identification of threats and appropriate selection of countermeasures reduces the ability of attackers to misuse the system. Introduced during the HotSoS conference in Pittsburgh, PA in April 2016 by Bradley Potteiger, Goncalo Martins, and Xenofon Koutsoukos, Quantitative Threat Modeling Method is a quantitative, integrated threat modeling approach that merges software and attack centric threat modeling techniques.
The STRIDE threat model is composed of a system model representing the physical and network infrastructure layout, as well as a component model illustrating component specific threats.
Component attack trees allow for modeling specific component contained attack vectors, while system attack graphs illustrate multi-component, multi-step attack vectors across the system.
The Common Vulnerability Scoring System (CVSS) is leveraged to provide a standardized method of quantifying the low level vulnerabilities in the attack trees.
This hybrid method consists of attack trees, STRIDE, and CVSS methods applied in synergy. It aims to address a few pressing issues with threat modeling for cyber-physical systems that had complex interdependence among their components.
The central step of the Quantitative Threat Modeling Method (Quantitative TMM) is to build component attack trees for the five threat categories of STRIDE. This activity shows the dependencies among attack categories and low-level component attributes. After that, the CVSS method is applied and scores are calculated for the components in the tree.
An additional goal for the method is to generate attack ports for individual components. These attack ports (effectively root nodes for the component attack trees) illustrate activities that can pass risk to the connected components. The scoring assists with the process of performing a system risk assessment. If an attack port is dependent on a component root node with a high-risk score, that attack port also has a high-risk score and has a high probability of being executed. The opposite is also true.
This method can be applied to identify all possible threats against a mobile device management system by analyzing and identifying threat agents, assets, and adverse actions.
It can also be used for developing security requirements such as a protection profile and design a secure system.
Contains built-in prioritization of threat mitigation
Has automated components
Has consistent results when repeated
Yue Chen, Barry Boehm, and Luke Sheppard developed another quantitative threat modeling method, the Threat Modeling method based on Attacking Path Analysis (T-MAP), which quantifies security threats by calculating the total severity weights of relevant attacking paths for Commercial Off The Shelf (COTS) systems.
Compared to existing approaches, T-MAP is sensitive to an organization' s business value priorities and IT environment.
It distills the technical details of thousands of relevant software vulnerabilities into management-friendly numbers at a high-level.
This method systematically establishes the traceability and consistency from management-level organizational value propositions to technical-level security threats and corresponding mitigation strategies.
T-MAP could provide promising strength in prioritizing and estimating security investment effectiveness, as well as in evaluating the security performance of COTS systems.
T-MAP can help system designers evaluate the security performance of COTS systems and analyze the effectiveness of security practices.
This model can be implemented using UML class diagrams, access class diagrams, vulnerability class diagrams, target asset class diagrams and affected Value class diagrams.