The paper which is going to be assessed in this assignment is “Threat Modeling-Perhaps It's Time” by John Steven. The paper gives a brief introduction about the threat modeling industry and the application of threat modeling in the modern world. Published in 2010, the paper describes how important threat modeling has become and that the time has come when threats should be mitigated seriously. This paper, published in contribution of the IEEE computer and reliability society, aims to target everyone who uses the computer technology for important business purposes. The main idea is to inform the people about how they can keep their data safer and what they should do to avoid potential threats. It talks about the reasons why people do not consider threat modeling suitable for their businesses and then provides advices which can help people in taking the right decisions.
The four main advantages of adopting threat modeling are that it helps identifying and the threats, minimize the risks, will be able to handle the new threats and will also identify different flaws in the business due to which there is a chance of a threat. Further, a threat modeling is also explained in detail with all the essentials of this method mentioned in the article. In addition to that, the basic criteria for designing threat model have also been given in the article. Basically these models work differently for each system in order to provide customized threat mitigation for different businesses. Most business managers do not take the initiative of threat modeling because they think it is too expensive and difficult to execute. However, if a little collaboration is made between the business end and technical end of the companies, it will be realized that the outcome of threat modeling is worth the money and effort. In addition to that, now the application security is much more improved and has significant features which over-come the difficulties faced in the past.
One of these features is the maturation of application security which means that this system has progressed and now it is free of certain errors and problems it had in the past. With the help of trainings, the concerned people can easily be trained to handle the software all by themselves. In this respect, it has been made more users friendly and the trainings are also designed in a way to make people understand the fundamentals of threat modeling. Another thing is that because of the high demand of threat modeling, many companies have developed an inventory of assets and applications which have been used by them. This brings in further motivation and capabilities to the user for adopting the threat model for asset security. Finally, the threat modeling resources have been made free and open, making it easier for the users to access and optimize according to their requirements. Two examples from Microsoft and the OWASP community have been given in the paper which shows how the threat models have been developed and what problems they faced when the resources were not open. In the end the paper concludes that threat modeling is indeed the need of the hour and as it has become more important, it has become simpler so that more people and businesses can benefit from it.
The paper under study provides a decent amount of knowledge about threat modeling, its usage and the improvements made to this field. Not only does this paper serves to make more people understand the need of threat modeling, but it also motivates business owners and managers to consider this option for the safety and security of their businesses. The paper makes a prominent contribution to cyber security body of knowledge by providing useful information related to the people who are directly or indirectly related to cyber security and can benefit from this information. The people directly related are those who are aware of how the system works and have previous experience working with such security systems. This paper provides them with the latest improvement in threat modeling, which is able to attract more customers towards threat modeling. The people who are indirectly related are the managers and business owners who are in need of such a system for the protection of their assets. This paper allows them to know that the product which they need has now improved and simpler so that more people can run it. It also informs about the trainings which can make anyone understand how it works.
In addition to that, a major contribution is made for the students and new employees working in the field of cyber security. This is because if briefly discusses how threat modeling works and what are the future prospects of this field. The people who are new in the field can really use this knowledge to decide which expertise they need to accomplish specialization in threat modeling, which surely is the future of all sorts of businesses (Steven, 2010). Besides cyber security professionals, teachers and students, this paper is also helpful for anyone who wishes to know about threat modeling because it is written in simple language and introduces the subject from the very basics.
Identification of weak areas
The research paper by Stevens is undoubtedly very informative and has useful details related to the improvements and needs in the growing threat modeling market. However, there are some weaker areas of this research which needs to be pointed out. First off, the paper lacked a proper flow, which is normally seen in scholarly papers. Although it was not a research paper which has some deduced results, but a little coherency and order could have significantly improve the overall impact of the paper. Secondly, the paper lacked reasoning and evidences from the already available literature, which is one of the primary things. It makes a paper more authentic, so that the reader can easily believe in each and everything the author has written in the paper. For instance, the improvements in threat modeling have been discussed in detail, yet there is no source mentioned so that one can confirm that these improvements have actually been carried out.
Conclusions
The paper studied in this week’s assignment was “Threat Modeling-Perhaps It's Time” by John Steven. After a detailed analysis of the paper, it was found to be really informative and useful for the people related to the field of cyber security. The main purpose of this paper was to spread awareness about the utility of threat modeling and how easily business owners can have their own personalized cyber security. The paper lacked coherency and proper sources which were seen as the weaker areas of this work. However, it was seen to make a handsome amount of contribution to the cyber security literature.
References
Steven, J. (2010). Threat Modeling-Perhaps It's Time. IEEE Security & Privacy, 8(3), 83-86.
http://ieeexplore.ieee.org/document/5470962/
