Training People on Threat Modeling


Adam Shostack here. Blogger Ian Grigg has an interesting response to my threat modeling blog series, and I wanted to respond to it. In particular, Ian says “I then would prefer to see the threat – property matrix this way:”

I wanted to share an additional table from our training, and talk about repudiation a bit more.

Actually, I’d like to repudiate the term “repudiation.” It’s an awful name that most people never run into in day-to-day life. It doesn’t hit the simplification bar the way say, “denial,” would. Unfortunately, STDIDE (Spoofing, Tampering, Denial, Information Disclosure, Denial of Service, Elevation of Privilege) doesn’t make a very memorable acronym. Memorable is important when training people. Our reviewers have raised this as an issue, and ’d love to get feedback from our readers. How can we ensure that the software we build has the right level of logging and audit-ability? What evocative words can we use, and can you help us come up with a word or phrase that starts with R? Let us know!

And then, here’s the chart:

Threat Property Definition Example
Spoofing Authentication Impersonating something or someone else. Pretending to be any of billg, or ntdll.dll
Tampering Integrity Modifying data or code Modifying a DLL on disk or DVD, or a packet as it traverses the LAN.
Repudiation Non-repudiation Claiming to have not performed an action. “I didn’t send that email,” “I didn’t modify that file,” “I certainly didn’t visit that web site, dear!”
Information Disclosure Confidentiality Exposing information to someone not authorized to see it Allowing someone to read the Windows source code; publishing a list of customers to a web site.
Denial of Service Availability Deny or degrade service to users Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.
Elevation of Privilege Authorization Gain capabilities without proper authorization Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP.


(Ian’s post is here . IE users will see a warning about certificate authorities when visiting this site.  As I wrote this, Gunnar Peterson added commentary at “Threats, Mechanisms and Standards.”)

Join the conversation

  1. mortman

    What about replacing Repudiation with Rejection?

  2. SME

    how about refutation, or refusal?

Comments are closed.