Threat Assessment

Last updated on 2025-08-11 | Edit this page

Overview

Questions

  • What process do I follow to identify threats?

Objectives

  • Your group should identify some threats and discuss their risk and impact.

Introduction

You probably know that security is important. But how do you, as a developer, impact security? That first requires a different question: not how but what?

  • What should you be worried about?
  • What is likely to harm you, how would it happen?
  • If it involves external attackers, what do they want, how might they go about getting it and how much do we care?

Finding the answers to these questions is called “Threat assessment” or “threat modelling.” In this activity, we will do a light-weight exercise to introduce you to the concept of threat-modelling.

Step 1: Discuss & Ideate

Who might do what bad thing to whom?

PersonThingReason

Begin this section by thinking about the question above. Write down any combination of Person - Thing - Reason you can come up with on your worksheet. Feel free to write independently from the rest of your group.

Remeber that not every bad thing is malicious. Sometimes security or privacy issues happen due to accidents or misunderstandings. Discuss the issues amongst your group and gather as many completed threats as you can.

Step 2: Organize

Cluster the ‘post-its’ into ‘topics’ by posting related ones close together and duplicates on top of each other.

Step 3: Evaluation

This step identifies the most important threats.

  • Pick the threats (post-its) that are (a) most likely, and (b) most damaging1.
  • Place a black dot next to the each of the three you consider most likely;
  • Place a red dot next to the three you think are most damaging.

Step 4: Summary

Using the risk-impact grid, place a selection of the threats onto their appropriate space.

This information will be used for the Benefit Analysis section!

Callout

The risk-impact grid is an inaccurate way to assess risks; however it is easy to understand and use. More sophisticated teams may well use better approaches, but these are outside the scope of this workshop.

Key Points
  • Not all “bad things” are malicious, sometimes accidents happen.
  • Threats should be considered by their likeliness and impact.