tag:blogger.com,1999:blog-1426281128647295476.post3233730148672934694..comments2009-06-12T05:48:01.284-05:00radihttp://www.blogger.com/profile/11459795773754260693radi@r-n-d.orgBlogger1125tag:blogger.com,1999:blog-1426281128647295476.post-3013603847133169132009-06-12T05:48:01.284-05:002009-06-12T05:48:01.284-05:00I personally believe that the distinction you perceive at the beginning of this post - that is, financial sector threat modeling vs. technology sector threat modeling - is not a real difference but just a side-effect of the nature of the two sectors. <br /><br />All threat modeling is done for a business reason - you don&#39;t do threat modeling to produce nice wallpapers or to be kind to your neighbor, you do it to meet a certain business goal. It is essential, then, that threat modeling begins with the &quot;business goals&quot;-&gt;&quot;business risk&quot;-&gt;&quot;technical risk&quot; mapping step that you are talking about. All threat models should in fact start like this. However, for software vendors - like Microsoft - the technical risks happen to overlap with the business risks, and that&#39;s why IMHO you see this step missing in the MS-sanctioned way of doing threat modeling.<br /><br />In other words, when you do threat modeling for a bank, you need to start from the business goals and business risks in order to understand that a certain database is an asset to protect. On the other hand, when you do threat modeling of a system being sold by a software vendor, you already know that whatever user data gets touched by that system, it&#39;ll be an asset to protect.<br /><br />My two cents.Gabehttp://www.blogger.com/profile/13958752731645145468noreply@blogger.com