| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 1.7 - Threat Modeling
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series shows how to find and rank threats before they hurt you, continuing Domain 1. It covers what threat modeling is, when it happens in a system’s life, the structured ways professionals discover and categorize threats, and how to decide which ones deserve attention first.
What this episode covers
- What threat modeling is — identifying, categorizing, and analyzing threats across the whole life cycle, not once.
- Proactive vs reactive — designing threats out early versus hunting for problems after deployment.
- Three lenses for identifying threats — focusing on assets, on attackers, or on the software you build.
- The STRIDE model — spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege.
- Fuller methodologies — a seven-stage risk-centric method and a visual, agile approach, among many others.
- Diagramming attacks — mapping components, security zones, and data flows, covering technical, physical, and social forms.
- Reduction analysis — decomposing the system to expose trust boundaries, dataflow paths, input points, and privileged operations.
- Prioritizing threats — probability times damage, risk matrices and heat maps, and five-question severity ratings.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What is threat modeling?
Threat modeling is the process of identifying, categorizing, and analyzing potential threats. For each one, you work out the possible harm, the odds it happens, how much you should worry, and how to remove or reduce it. It is not a one-time event — you start it early in design and keep it running across the whole life cycle, and mature software teams fold it into their development life cycle to catch flaws sooner and cheaper.
When do you model threats, proactively or reactively?
Both, and the distinction matters. The proactive, defensive approach happens early, during design and specification, predicting threats and baking in defenses as you build — integrated security is usually cheaper and more effective than security shoehorned in later. The reactive, adversarial approach happens after a product exists, hunting for problems you could not foresee; it powers ethical hacking, penetration testing, source code review, and fuzz testing.
How does the STRIDE model categorize threats?
STRIDE sorts threats into six named types so you do not miss a category. Spoofing is faking an identity to slip past controls, tampering is unauthorized changes to data, repudiation is denying an action you actually took, information disclosure is leaking private or controlled data, denial of service is blocking legitimate use of a resource, and elevation of privilege is turning a limited account into a powerful one. Modern modeling adds concerns for AI systems too, like biased algorithms that produce unfair outcomes.
How do you decompose a system in reduction analysis?
Reduction analysis means breaking the system into smaller parts — modules, protocols, or even departments — to understand its logic and interactions. As you decompose, you pin down five key things: trust boundaries where the level of trust changes, dataflow paths, input points where external data arrives, privileged operations needing elevated rights, and the stated security stance. Each threat found should be documented by its means, target, and consequences.
How do you prioritize the threats you find?
You rank them so the worst get attention first. One simple method multiplies probability by damage potential to score each threat, and an even simpler one rates probability and damage as high, medium, or low on a risk matrix or heat map, where high-high sits in the danger corner. A richer method rates each threat on five questions — damage, reproducibility, exploitability, affected users, and discoverability — and once ranked, you choose responses weighted by cost and effectiveness.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 1.7 - Threat Modeling.