Accession Number:



Threat Modeling: Evaluation and Recommendations

Descriptive Note:

Technical Report

Corporate Author:

Carnegie Mellon University Software Engineering Institute Pittsburgh United States

Report Date:


Pagination or Media Count:



Addressing cybersecurity for complex system, especially for cyber-physical system-of-systems CPSoS, requires a strategic view of and planning for the whole lifecycle of the system. For the purpose of this paper, system-of-systems is defined as a system, components of which operate and are man-aged independently 46. Thus, components of a system-of-system systems by themselves should be able to function fully and independently even when the system-of-systems is disassembled. Also, they typically are acquired separately and integrated later. Components of a system-of-systems may have physical, cyber, or mixed natures. For simplicity, we will use term cyber-physical system instead of cyber-physical system-of-systems. The nature of a cyber-physical system CPS implies a diversity of potential threats that can compromise its integrity, targeting different aspects ranging from purely cyber-related vulnerabilities to the safety of the system as a whole. The traditional approach used to tackle this matter is to employ one or more threat modeling methods TMMs early in the development cycle. Choosing a TMM can be a challenging process by itself. The TMM you choose should be applicable to your system and to the needs of your organization. Therefore, when preparing for the task it makes sense to answer two questions. First, what kind of TMMs exist and what are they And second, what criteria should a good TMM satisfy We explored answers to the first question in Threat Modeling A Summary of Available Methods 47. In this paper, we will address the second question and evaluate TMMs against the chosen criteria.

Subject Categories:

  • Administration and Management
  • Cybernetics

Distribution Statement: