Abstract :
Practitioners and researchers have been thinking about, making presentations on, and publishing material related to threat modeling for longer than many security practitioners performing assessments have been alive. Yet, many security managers avoid even discussing threat modeling because they perceive it as expensive and difficult. A noisy IT security space makes discerning real threat-modeling progress from bluster tricky. Accordingly, security managers resist revisiting previously considered techniques, until the community creates a demonstrably simpler, cheaper, or more scalable solution-often in product form. In the absence of such a threat modeling tool, at least commercially, you might be tempted to carry on deferring.
