tag:blogger.com,1999:blog-4088979.post5820684980957049502..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Threat Model vs Attack ModelRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4088979.post-68135442066870923032011-03-27T09:06:07.160-04:002011-03-27T09:06:07.160-04:00Threat analysis and attack analysis should be subs...Threat analysis and attack analysis should be subsets of risk analysis. They have uses outside of risk analysis, to be sure, but if a risk model does not utilize the posterior results of threat and attack analysis, there's a great chance that the model is little more than numerology.Alexhttp://securityblog.verizonbusiness.comnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-65643769602151824572009-06-16T07:04:58.749-04:002009-06-16T07:04:58.749-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-82115129270462442002008-07-23T05:44:00.000-04:002008-07-23T05:44:00.000-04:00Richard,Just stumbled on this post of a year ago. ...Richard,<BR/>Just stumbled on this post of a year ago. Yes - Microsoft are a little careless with their definitions.<BR/><BR/>But, I'd like to make two points:<BR/>1) There ARE rigorous definitions. The entities are:<BR/>a. assets - things that have value ( might be digital, physical, reputational or operational)<BR/>b. assets have vulnerabilities, a weakness or failing<BR/>c. threats exploit vulnerabilities<BR/>d. attacks are the manifestation of a threat<BR/>e. countermeasures mitigate vulnerabilities.<BR/><BR/>I don't believe you can break attacks away from threats and I disagree with Ira Winklers position that companies can't figure out threats. <BR/><BR/>In my experience - the language of threat modeling is natural for employees at all levels - once you explain the conceptual model - and that takes about 10 minutes tops.<BR/><BR/>Take care<BR/>DannyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-19409366240074434542007-06-12T20:05:00.000-04:002007-06-12T20:05:00.000-04:00To my knowledge the term "threat tree" comes from ...To my knowledge the term "threat tree" comes from the work of Edward Amoroso (check "Fundamentals of Computer Security Technology", Prentice-Hall 1994), which by far predates any work in this area by Bruce Schneier. Amoroso's work is very known inside Microsoft and this is as far as I know the historical reason Microsoft uses an "incorrect" terminology.Anonymousnoreply@blogger.com