Thursday, July 28, 2011

Risk Modeling, not "Threat Modeling"

Thanks to the great new book Metasploit (review pending), I learned of the Penetration Testing Execution Standard. According to the site, "It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. security evaluations)." I think this project has a lot of promise given the people involved.

I wanted to provide one comment through my blog, since this topic is one I've covered previously. One of the goals of the standard is to name and explain the steps performed in a penetration test. One of them is currently called "threat modeling," and is partly explained using this diagram:

When I saw elements called "business assets," "threat agents," "business process," and so on, I realized this is more of a risk model, not just a "threat model."

I just tagged a few older posts as discussing threat model vs risk model linguistics, so they might help explain my thinking. This issue isn't life or death, but I think it would be more accurate to call this part of the PTES "Risk Modeling."


Osama Salah said...

Reminds me of the FAIR Risk Management Taxonomy, which I mapped out here:

iamit said...

RIchard, thank you very much for the comment, and yes -you are correct that the threat modeling section is based on a wider risk modeling thinking.
I do think though that for the context of the section within the pets it would still be ok to call it threat model, and the risk model is what you eventually get to at the end of the pen test, and would be reflected in the final report, and of course the takeaways for the organization and how it plans to apply the insights from the pen test to it's risk management practice.
Keep up the good work!