Threat modeling¶
A systematic methodology for understanding and prioritizing threats to an organization's assets, systems, or infrastructure. Threat modeling combines literature review, expert elicitation, and quantitative risk scoring to answer: What can attack me? How likely is it? How bad would it be? What should I defend first?
Approach¶
A comprehensive threat model typically includes:
- Asset identification: What systems, data, or capabilities are at risk?
- Threat enumeration: What attacks exist in the literature or in the wild?
- Attack framework mapping: Organize tactics/techniques (e.g., MITRE ATT&CK)
- Expert scoring: Rate each threat on dimensions like profit, achievability, harm, and defendability
- Threat ranking: Synthesize ratings into a prioritized list
Quantitative models¶
A simple but effective model scores threat as T = H × (M / D), where: - H = Harm (damage inflicted) - M = Motivation (⅓ × Profit + ⅓ × Achievability) - D = Defendability (1 = easy to detect/prevent; difficult = < 1)
Higher scores indicate threats that are worth more defensive investment. The model assumes that defenders should prioritize high-harm, easy-to-achieve, hard-to-defend threats—regardless of the threat agent's primary motivation.
Key papers¶
- The Threat of Offensive AI to Organizations — Uses the threat-ranking model to enumerate 33 offensive AI capabilities and survey 22 experts (academia + industry) on their severity, finding exploit development, social engineering, and information gathering pose the greatest risk.
Related topics¶
- Offensive AI — Focus on what adversaries can do; threat modeling prioritizes which threats matter most
- Adversarial Machine Learning — Threat modeling applies to security of ML systems