When asked “what should we defend against,” a common response by a decision maker is “everything,” operating under the implicit logic that if a threat exists, why on earth wouldn’t an organization defend against it? Firstly, because the cost curve for that security strategy leans towards the exponential. Secondly, because a threat isn’t a threat unless it is a threat towards you. POS skimmers, air gap jumpers, and Gamera all exist as potentially catastrophic security threats, but not all of those threats are directed against all of us, all the time. So, when allocating time, energy, and funds towards a secure network, how do we decide which frightening news story to respond to, and which to file away under “interesting, but not relevant?” That’s where threat modeling comes in.
Full Article