What is a “threat?”

Over the past years that I’ve been involved with threat modeling in the ACE Team, one of things I learnt is the fact that the term “threat modeling” is an overloaded term. Some methodologies claim to be “threat modeling” methodologies while they are more like “attack modeling” or “risk modeling”. Granted, one can call something “foo modeling” if they want as long as they make their definitions clear. So let’s do just that…


We’ll define a threat as the possibility of something bad happening – an event that has some sort of negative impact. Examples are loosing your driver’s license or a bank having the confidentiality of their customer’s credit card information compromised.


An attack is a means though which a threat is realized – in other words, the attack is an exploit. An attack could be physical attack of some sort or SQL injection, for example.


It’s important to be clear on the difference between a “threat” and an “attack”. One of the ways in which I like to look at this is to say that an attack is simply a means to an end – which is the threat. If you’re looking for ways to break something from an adversarial perspective, you’re “attack modeling”. If you looking for ways in which to defend the potential realization of certain events from a defender’s perspective, you’re “threat modeling”.


An attack can only take place if there are certain vulnerabilities existing. In case of a physical attack, it may be because you didn’t take self-defense classes and couldn’t appropriately defend a physical attack or, in the case of SQL injection, the technology implementation used dynamic SQL and no input validation.


A vulnerability is something that is mitigated with a countermeasure. Example could be taking self-defense classes or using stored procedures with embedded SQL that are invoked securely through strong-typed parameterized queries. J


So we have the following assertion:


Threats are realized through attacks which can materialize through certain vulnerabilities if they have not been mitigated with appropriate countermeasures.


One last thing… what is “risk”? Think of a threat as a qualitative attribute of a system and think of risk as a quantitative attribute of a threat used to quantify it. I’ll talk more about risk as appropriate.


More to come soon…


-Talhah Mir

Comments (5)

  1. BETA2 of Microsoft Threat Analysis & Modeling v2.0 (formerly codenamed “ACE Torpedo”) is now available…

  2. BETA2 of Microsoft Threat Analysis & Modeling v2.0 (formerly codenamed “ACE Torpedo”) is now available…

  3. With this release of the process and the accompanying tool, there were 4 high-level objectives we are…

  4. Ostatnimi czasy pojawił się nowy OWASP TOP10, wersja z 2007 roku. Muszę przyznać, że uczucia co do niej mam mieszane…Nowa lista, OWASP TOP10 2007 dostępna jest tutaj, wersja poprzednia, datowana na 2004 rok dostępna jest tu. Na stronie Top 10

  5. BETA2 of Microsoft Threat Analysis & Modeling v2.0 (formerly codenamed “ACE Torpedo”) is now available