Skip to main content
Other
Threat Modeling the Enterprise
AMCIS 2008 Proceedings
  • Jeffrey A. Ingalsbe, Ford Motor Company
  • Dan Shoemaker, University of Detroit - Mercy
  • Nancy R. Mead, SEI/CMU
  • Antonio Drommi, University of Detroit - Mercy
Publication Date
1-1-2008
Abstract

Current threat modeling methodologies and tools are biased toward systems under development. While, organizations whose IT portfolio is made up of a large number of legacy systems, that run on fundamentally different and incongruous platforms and with little or no documentation, are left with few options. Rational, objective analysis of threats to assets and exploitable vulnerabilities requires, the portfolio to be represented in a consistent and understandable way based on a systematic, prescriptive, collaborative process that is usable but not burdensome. This paper describes a way to represent an IT portfolio from a security perspective using UML deployment diagrams and, subsequently, a process for threat modeling within that portfolio. To accomplish this, the UML deployment diagram was extended, a template created, and a process defined.

Citation Information
Jeffrey A. Ingalsbe, Dan Shoemaker, Nancy R. Mead and Antonio Drommi. "Threat Modeling the Enterprise" (2008)
Available at: http://works.bepress.com/dan_shoemaker/9/