Threat modeling and the CISSP

Organizations face increasingly sophisticated cyber threats targeting their data and information systems. Understanding and applying threat modeling has become essential for the CISSP certification, now appearing in both Domain 1 (Security and Risk Management) and Domain 3 (Security Architecture and Engineering) of the 2024 exam update. 

Even companies with robust security programs can fall victim to cyberattacks. Simply following compliance standards often proves insufficient against sophisticated threats. As of 2025, CISSP remains the most requested cybersecurity certification in U.S. job listings, making it crucial for security professionals to master concepts like threat modeling. 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Understanding threat modeling 

Before developing a comprehensive security strategy, security professionals must understand two fundamental components of risk in their environment: 

• Risk stems from threats to the organization
• Threats target valuable resources

Threat modeling provides a structured approach to identifying, quantifying and addressing threats. This systematic process helps security teams communicate potential damage from security flaws and prioritize remediation efforts. The CISSP exam tests threat modeling concepts in two key areas: 

• Domain 1 (Security and Risk Management): Understanding and applying threat modeling concepts and methodologies (Objective 1.10) 
• Domain 3 (Security Architecture and Engineering): Implementing threat modeling as part of secure design principles (Objective 3.1) 

In threat modeling, we examine three main elements: 

1. Assets: What valuable data and equipment should be secured? 
2. Threats: What might attackers do to the system? 
3. Vulnerabilities: What system flaws could allow threats to materialize? 

Organizations face threats at different layers of their environment. The three primary layers of threat targets are: 

• Network: Threats include spoofed packets and malicious network traffic. 
• Host: Threats include buffer overflow attacks and malicious files. 
• Application: Threats include SQL injection, cross-site scripting (XSS) and input tampering. 

Who performs threat modeling and when? 

Ideally, threat models should be created during system design before any deployment. However, in practice, organizations often create threat models for existing systems as part of their maintenance cycle. System designers with security experience are typically best positioned to identify potential threats. 

The threat modeling process 

A successful threat model follows a systematic, repeatable process that security professionals can apply across different systems and scenarios. When preparing for the CISSP exam, understanding each step of this process helps you apply threat modeling both in test scenarios and real-world situations. Modern security teams typically execute these steps iteratively, refining their model as they gather new information about threats and vulnerabilities. Let's examine each step in detail: 

1. Identify the assets 

Before you can protect your resources, you need a complete inventory of what needs protection. This inventory should focus not just on obvious assets like databases but also on all potential targets within your system: 

• Document entry and exit points 
• Catalog system assets and resources 
• Define trust levels and access categories 

2. Describe the architecture 

Understanding your system's architecture reveals potential weak points and attack surfaces. This step requires detailed documentation of all system components: 

• Detail software framework and versions 
• Document architectural components 
• Map system dependencies and interactions 

3. Break down the applications 

Applications rarely exist in isolation. Analyzing how different components interact helps identify vulnerable interfaces and data flows: 

• Analyze all sub-processes 
• Identify process boundaries 
• Map data flows between components 

4. Identify the threats 

You can begin cataloging potential threats with a clear understanding of your system. This step requires thinking like both a defender and an attacker: 

• List threats in descriptive detail 
• Consider multiple attack vectors 
• Document potential impact 

5. Document and classify the threats 

Microsoft's STRIDE model provides a comprehensive framework for categorizing different types of threats that could affect your system: 

• Spoofing Identity 
• Tampering with Data 
• Repudiation 
• Information Disclosure 
• Denial of Service 
• Elevation of Privilege 

6. Rate the threats 

DREAD, a standardized methodology created by Microsoft, helps security professionals quantify and prioritize threat severity. Each quality is rated on a scale developed for your specific project — most organizations find a scale of 1-3 sufficient for practical threat assessment: 

• Damage Potential: How severe could an exploit be? 
  • 1: Attacker can retrieve extremely sensitive data and corrupt or destroy data 
  • 2: Attacker can retrieve sensitive data but do little harm 
  • 3: Attacker can only retrieve data that has little or no potential for harm 
• Reproducibility: How reliably can the flaw be exploited? 
  • 1: Works every time; no special timing or conditions needed 
  • 2: Timing-dependent; works only within a specific time window 
  • 3: Rarely works, requires very specific circumstances 
• Exploitability: How complex is the attack process? 
  • 1: Just about anyone could do it 
  • 2: Attacker must be somewhat knowledgeable and skilled 
  • 3: Attacker must be very knowledgeable and skilled 
• Affected Users: What's the scope of impacted users? 
  • 1: Most or all users 
  • 2: Some users 
  • 3: Few, if any, users 
• Discoverability: How easily can attackers find this vulnerability? 
  • 1: Attacker can easily discover the vulnerability 
  • 2: Attacker might discover the vulnerability 
  • 3: Attacker will have to dig to discover the vulnerability 

By assigning scores in each category, you can prioritize which threats require immediate attention and which pose less urgent risks to your system. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Real-world example: Data collection web application 

To illustrate how threat modeling works in practice, let's examine a corporate web application that handles sensitive user data. This example demonstrates applying the threat modeling process to a common business scenario. 

Initial architecture assessment 

The application stack consists of: 

• Web Application built in ASP.Net 
  • Handles user authentication 
  • Manages session states 
  • Processes user data modifications 
• Database Server (SQL Server 2000) 
  • Stores user credentials 
  • Contains personal user information 
  • Maintains audit logs 

Critical assets identified 

Through careful analysis, we identified four key asset categories requiring protection: 

• User Login Credentials 
  • Username/password combinations 
  • Password reset mechanisms 
  • Multi-factor authentication data 
• Personal User Information 
  • Personally identifiable information (PII) 
  • User preferences and settings 
  • Historical data 
• Administrative Resources 
  • Management interfaces 
  • Configuration settings 
  • Access control lists 
• System Hardware 
  • Application servers 
  • Database servers 
  • Network infrastructure 

Documenting threats using Microsoft's template 

When documenting threats for this application, Microsoft's threat reporting template provides a structured format: 

• ID: Unique ID # of the threat 
• Name: Brief name of the asset threat 
• Description: Detailed description of the threat and its importance 
• STRIDE: How can we classify this threat? 
• Mitigated: Is the application safe from this threat? 
• Known Mitigation: How can we protect against the threat? 
• Investigation Notes: What do we know about this threat so far? 
• Entry Points: What possible means does an adversary have? 
• Assets: What assets could be damaged? 
• Threat Tree: How can we visualize the threat? (Optional) 

Sample threat documentation: 

• ID: 1 
• Name: Login Subversion 
• Description: An adversary tries to inject SQL command through a request into the application to circumvent the login process 
• STRIDE Classification: Tampering with data, elevation of privilege 
• Mitigated: No 
• Known Mitigation: Stored procedures, parameterized queries 
• Investigation Notes: The database calls to the application were reviewed, and string concatenation was used on the login query 
• Entry Point: Login Page 
• Assets: Access to the backend database 
• Threat Tree: None 

Building effective threat modeling 

Threat modeling has become integral to both the CISSP exam and real-world security practices. As organizations face increasingly sophisticated threats, the ability to systematically identify, analyze and mitigate potential security issues becomes crucial. Whether you're preparing for the CISSP exam or working to secure your organization's assets, mastering threat modeling provides a foundation for proactive security. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Ready to deepen your understanding of threat modeling and other CISSP concepts? Infosec offers several resources to support your security journey: 

• Download our free CISSP exam tips and tricks ebook for expert guidance on exam preparation 
• Explore our comprehensive CISSP training hub for in-depth study materials 
• Enroll in our CISSP Boot Camp for expert-led training 

For more information about cybersecurity careers in general, check out our cybersecurity salary guide and our ebook, Cybersecurity certifications and skills: A roadmap for mid-career professionals.