Physical security has a threat modeling problem. Mainly that it simply does not exist as a regular, robust, or standard practice in the physical security field. There are numerous definitions from NIST, OWASP, and SANS - all ambiguous, boring, and unhelpful to anyone attempting to use threat modeling outside of the standard cases in application, cyber, and information security. OWASP defines Threat Modeling as “work to identify, communicate, and understand threats and mitigations within the context of protecting something of value.”
We primarily use threat modeling in three ways:
Communication: Communicating the “why” of security to stakeholders. What is the purpose of each security measure, inconvenience, budget request, or new process.
Stakeholders may include leaders, budget-holders, decision makers, employees, and the public.
Decision Making: What are the threats to my business, and what security measures will defend against them?
Cost Savings: Trying to mitigate every threat leads to the inability to mitigate any threat. In other words, identifying the most serious threats and focusing resources on those enables organizations to remove (or forgo) excessive or unnecessary security that does not fit the threat model.
Threat modeling is a tool to standardize, normalize, and simplify the complexities of physical security. From executive protection to corporate security, threat models should drive conversations and decisions. If you find yourself requesting budget for a project or managing a security program without first defining your threat landscape, it is a good time to pause and put your company and security program through a threat modeling exercise. Or you can bring in experienced partners to begin Threat Modeling and start defining everything from the overall threat at your company to the specific threats addressed by each security measure. Once completed, you will be able to define the loss avoidance tied to each security measure you implement. When you receive questions about your security budget, you will be able to illustrate the positive impacts and risks being addressed by each dollar of the security budget.
Adversarial Note: What kind of red teamers would we be if we did not point out the alternate ways to think about and use threat modeling? MITRE’s ATT&CK framework is one of the most common and well-developed threat models in industry use today. No equivalent for it exists in the physical security realm. However, threat modeling in general and certain tools, like the ATT&CK framework, are not meant to be the primary or exclusive means of addressing every single threat.
They are meant to be an informative, comprehensive tool serving to prioritize and/or rank some of the more prominent and likely threats to the organization. Effective threat modeling is one of the first steps to understand the threat landscape of the company that does not know where to begin risk mitigation or reduction. There is a time and a place to use threat modeling, and it is designed as a helpful tool to understand the holistic security picture, build foundational best practices (e.g., assurance tests, awareness training, etc.) while saving the biggest part of the threat model - the Unknown Unknowns - to the advanced level, when the same organization is ready to be red teamed by an advanced, looking from-outside-in adversary. This to us is the basic premise of the Crawl, Walk, Run model: to derive best value from red teaming, you build up the organization’s resilience and preparedness over time. The alternative feels somewhat like a Mathematics PhD student crashing a seventh-grade mathletes meet.
Threat modeling is both an integral part of all Red Team engagements and a standalone product quickly growing in popularity. Once a tool to aid in taking an adversarial perspective for red teamers, threat modeling has been requested by security and budget leaders to understand how each security dollar buys down organizational risk, and to improve security programs by looking at their organization through the eyes of an adversary. Our customers receive completed reports, matrices, and workshop reports. More importantly, they receive the same tools, templates, graphics, instructions, and guidelines to continue threat modeling on a regular basis. Just as threat actors adapt and overcome defensive measures, we must also have the tools to reassess and improve our security measures to stay one step ahead.
Happy threat modeling!