Shostack's 4 Question Frame for Threat Modeling
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
These questions are designed to help people build better systems. They work less well for end-users of technology.
The authoritative reference is page 4, Threat Modeling: Designing for Security. I've evolved the questions since then. The changes include:
- We has replaced you, to be inclusive and collaborative
- "are" has replaced "should" in question 3, to be more focused on action
- Simplified the wording.
- I'll regularly ask "did we do a good enough job?" The goal is not to do a good job at threat modeling, but to drive improvement to a system.
Nuances
People will sometimes phrase the first question "what are we building" rather than working on. The "building" frame draws people towards a waterfall approach with the attendant problems.
In the Threat Modeling Manifesto, the team had a preference for adding the word "enough" to the 4th question: did we do a good enough job? I appreciate the lessened pressure, and miss the aspiration, and so keep the terse form here.
There's a 60 second video that introduces the questions.
Legalese, citations.
I'm told some lawyers have been concerned about quoting a complete thing, and asserted that it pushes at the limits of fair use to use all 23 of these words as a unit. If you need a license, please treat it as CC-BY. Please call it "Shostack's Four Question Frame for Threat Modeling," or "Shostack's Four Question Framework."
MLA formated cite is: Shostack, Adam. Threat Modeling: Designing For Security. John Wiley & Sons, 2014.