Shostack + Friends Blog

The Four Question Framework for Threat Modeling

Our latest whitepaper!

Shostack + Associates is pleased to release our latest whitepaper, Understanding the Four Question Framework for Threat Modeling! It’s free as part of our Black Friday sale, and uhhh, because we like sharing knowledge it’ll remain free.

I wrote this paper because someone once called the questions “surprisingly nuanced,” which I thought was kind, and because I saw even collaborators varying the words. And as I write in the introduction:

People commonly make the mistake of rephrasing the questions. They don’t realize that there are reasons to use the specific framework questions. There’s nuance and intent in the questions, which are meant to be answerable in many ways. Rephrasings often lose nuance, flexibility, or both. Further, consistency in how we say things contributes to consistency in how we do them.

If this isn’t more fun than listening to your Uncle Jack expound on football on Thanksgiving, double your money back!

Originally published by Adam on 27 Nov 2024
Categories: threat modeling papers

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The ATOM feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.