In his brand-new whitepaper, “Inherent Threats“, Adam focuses on the threats that are inherent to a system. As he considers the things that can go wrong with a system and what to do about them, an important aspect of threats starts to emerge. Some threats are easily fixed, but others are not, leading to frustration and confusion. The same questions are being asked, but strangely different answers are being reached. 

To assist cybersecurity professionals in being specific about why they’re receiving these different answers, it’s crucial to understand whether threats are inherent to the system. For instance, a money-moving app could be misused to transfer funds to the wrong place, at the wrong time, or in the incorrect amount. Adam’s whitepaper illuminates why some threats are easy to address and why others are not, along with the strategies that can aid in tackling these complex mitigations. 

He delves deep into assessing threats across a spectrum and the tradeoffs inherent to defense, but for the moment, he concentrates on the inherent-essential relationship. When a threat is tied to the essence of a system, protective measures cannot be perfect or complete, leading to an increase in detective and responsive controls as a proportion of investments. 

Understanding these tradeoffs enhances threat modeling in two significant ways. First, it leads to more in-depth threat modeling as efforts are made to specify answers to “what are we going to do about it?” Second, it aids in considering inherent threats when scaling threat modeling across hundreds or thousands of systems, allowing for prioritization of what gets attention first.  We encourage checking out the complete whitepaper.