Threat modeling frameworks
At this point, the process has been informal in that we have just defined some steps to evaluate a vulnerability. One could stop here and attempt to secure the organization using the information gathered. However, this is short-sighted as there is much more that analysts can do. Additionally, as organizations grow and become more complex, simple process documents are no longer sufficient for the task. More structured and formalized processes are needed to accomplish our goals.
Fortunately, this is a common problem, and other organizations have put together frameworks for ingesting this type of information and storing it in a way where it can be reported on. The one issue with using formal frameworks is they may not align completely with the organization. They can also take time to learn and implement. This can make it a much more drawn-out process, requiring personnel to manage and maintain the data. Once implemented, though, practitioners can quickly...
