Skip to content

adamshostack/4QuestionFrame

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 

Repository files navigation

Shostack's 4 Question Frame for Threat Modeling

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good job?

These questions are designed to help people build better systems. They work less well for end-users of technology.

The authoritative reference is page 4, Threat Modeling: Designing for Security. I've evolved the questions since then. The changes include:

  • We has replaced you, to be inclusive and collaborative
  • "are" has replaced "should" in question 3, to be more focused on action
  • Simplified the wording.
  • I'll regularly ask "did we do a good enough job?" The goal is not to do a good job at threat modeling, but to drive improvement to a system.

Nuances

People will sometimes phrase the first question "what are we building" rather than working on. The "building" frame draws people towards a waterfall approach with the attendant problems.

In the Threat Modeling Manifesto, the team had a preference for adding the word "enough" to the 4th question: did we do a good enough job? I appreciate the lessened pressure, and miss the aspiration, and so keep the terse form here.

There's a 60 second video that introduces the questions. There's a 2024 whitepaper, "Understanding the Four Question Framework for Threat Modeling" at shostack.org/whitepapers/

Legalese, citations.

I'm told some lawyers have been concerned about quoting a complete thing, and asserted that it pushes at the limits of fair use to use all 23 of these words as a unit. If you need a license, please treat it as CC-BY. Please call it "Shostack's Four Question Frame for Threat Modeling," or "Shostack's Four Question Framework."

MLA formated cite is: Shostack, Adam. Threat Modeling: Designing For Security. John Wiley & Sons, 2014.

About

Shostack's 4 Question Frame for Threat Modeling

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published