Threat Agents: a Necessary Component of Threat Analysis

摘要

There have been significant achievements in defining and developing viable approaches to threat modeling and risk assessment techniques for a wide range of IT applications and computing environments. Most of the approaches have been qualitative, due to the difficulties in quantifying all the aspects of the threat analysis. Some quantitative approaches, especially based on the analysis of the cost of security, have been proposed as well, such as "Total Cost of Security" described in [1]. The adjacent field of requirements engineering that provides useful insight into threats and mitigations, has flourished also [2]. In qualitative studies, the focus was on introducing new taxonomies and ontologies [3], applying threat modeling techniques to new areas [4], e.g., ad-hoc networks or improving prioritization and usability of the existing approaches, such as the Common Vulnerability Scoring System [5]. Interest in applying the same models to hardware and software threat analysis is beginning to emerge [6], although the difficulties as well as the benefits of this approach are self-evident.