Written by Laurent Dupont

Threat Modeling Insider Newsletter

43rd Edition – April 2025

Welcome!

It’s time for another edition of our Threat Modeling Insider! This month’s guest article, Simple Threat Modeling: Four Principles to Accelerate Security at Scale by Dave Soldera, breaks down how to streamline your approach without sacrificing depth. Over on the Toreon blog, Sebastien Deleersnyder shares insights on How to Choose a Threat Modeling Training That Actually Works—because not all trainings are created equal.

That’s just a taste of what’s inside, so grab a coffee and let’s dive in!

Welcome!

It’s time for another edition of our Threat Modeling Insider! This month’s guest article, Simple Threat Modeling: Four Principles to Accelerate Security at Scale by Dave Soldera, breaks down how to streamline your approach without sacrificing depth. Over on the Toreon blog, Sebastien Deleersnyder shares insights on How to Choose a Threat Modeling Training That Actually Works—because not all trainings are created equal.

That’s just a taste of what’s inside, so grab a coffee and let’s dive in!

On this edition

Guest article
Simple Threat Modeling: Four Principles to Accelerate Security at Scale, by Dave Soldera

Toreon Blog
How to Choose a Threat Modeling Training That Actually Works, by Sebastien Deleersnyder

Curated content
Securing AI with Secure by Design Practices

Curated content
Evaluating potential cybersecurity threats of advanced AI

Tips & tricks
Data-flow diagrams explained

Training update
An update on our training sessions.

Guest article

Simple Threat Modeling: Four Principles to Accelerate Security at Scale

Written by Dave Soldera, Security Architect, Electronic Arts (EA)

Simpler things scale better. The easier it is to do something, the more people will do it. We see this every day in obvious ways, whether it be people drinking out of cups as opposed to their hands, or riding bicycles instead of unicycles or tricycles. We also experience it in not-so-obvious ways with the success of systems like the Internet or the ability to fly just about anywhere in the world. What is perhaps counterintuitive is that a thing can be simple in some aspects and complicated in other ways, so from a functional perspective, international air travel is quite simple as a passenger, but from an operational perspective, it’s incredibly complicated. You might wonder, well, what does ‘simple’ even mean?

I started to explore the concept of ‘simple’ as a way to better justify decisions I was making about how I threat model. My initial interpretations are captured in a Threat Modeling Connect blog post and are based on a TED talk by Harvard chemistry professor George Whitesides, called Toward a science of simplicity (which I highly recommend). Since then, I’ve spent more time trying to leverage the ideas presented in the TED talk and expand upon the 4 properties of simple things in the context of threat modeling. The challenging part of this has been trying to really understand that ‘context’ for threat modeling, because as I said, ’simple’ can mean different things and it’s only in getting a deeper understanding of context that you can use the properties of simple things to make threat modeling simpler, and thus scale better.

The four properties of simple things

The four properties of simple things from the TED talk are:

A simple thing is cheap. It does not cost a lot in some sense, whether that is to use, operate, build, or in some other way.
A simple thing has a high value for its cost. It must offer sufficient value for a given cost, and the higher the value and the lower the cost, the better. Here, value can take on a variety of meanings.
A simple thing is predictable and reliable. Unpredictable and unreliable are properties of complex systems. No one wants to use something that is unpredictable or unreliable, and certainly not as a building block of a larger system.
A simple thing is a building block, it’s stackable, it’s composable. The more purposes a thing can have, potentially beyond whatever it was designed for, the more foundational it can be and thus likely to be adopted as a part of a larger system.

We want to understand these properties in the context of threat modeling, as that lets us focus on more specific ways we can adjust, optimize, improve, build, or change our threat modeling approach to make it simpler and scale better. It’s worth noting that the focus here is very much on the process of threat modeling itself, and not on the program management aspects of threat modeling that, of course, will also affect how it scales.

Firstly, what does ‘cheap’ mean in the context of threat modeling? I think about ‘cheap’ for threat modeling as minimising the cost; to people, to time, and to knowledge. A threat modeling activity that involves a room full of people is not as cheap as one that requires a single person, in terms of the opportunity cost of the time spent threat modeling. Likewise, if the information that is required to be gathered as part of the threat model includes more things than those that are essential, that is not as cheap as gathering the smallest set of information needed. Lastly, an activity that requires a lot of knowledge about the threat modeling process, or requires training, or requires low-level technical detail, or requires participants to be security experts, will always have a higher cost than an activity that minimizes the need for this knowledge.

What about ‘value’, what does that mean in the context of threat modeling? Value really depends on the situational context in which you are threat modeling, and knowledge of this context is always going to be required before we can decode what value means in any detail. Part of this requires knowing who will consume the output of threat modeling and understanding what they will find valuable. But a logical way, I would say, to think about value for threat modeling is as maximising the finding of relevant, actionable threats. Relevant means understanding what is important in the situational context (e.g., to a business), and actionable means delivering threats at the right time, at the right level, in the right amount, to the right people.

What about ‘predictable/reliable’, what does that mean in the context of threat modeling? For threat modeling, this is about maximising the predictability/reliability with regards to; what input is needed, the process of threat modeling, and the output generated. I find it is better to think about this property as ensuring there are no barriers to adoption. When developers (or whoever threat models) know what they are expected to provide in terms of input (e.g. information required), how the process will work (e.g. content to produce, time it will take, etc.), and the output generated (e.g. threat and risk details, integration with existing systems/processes, types of threats and level of coverage and assurance, etc), then developers can more easily integrate and operate the threat modeling process as part of their software lifecycle.

Lastly, what does ‘composable’ mean in the context of threat modeling? The most straightforward way to interpret composable is how well threat modeling can feed into other processes, and whether other processes can rely on the threat modeling activity, so the activity becomes essential to them. Predicting what any other process might ask of threat modeling is a challenge, but there are some obvious ones we can keep in mind, such as creating security tests, or informing penetration testing, or any software development lifecycle activity that usually occurs after threat modeling. Generally speaking, by serving its purpose of finding relevant, actionable threats and making these available in as convenient a way as possible, threat modeling can be used by a variety of stakeholders, from other security team members to developers, managers, auditors, customers, etc.

When you start to break down the context of threat modeling using ‘simple’ as a framework there is certainly a lot to consider! I think this quote from Steve Jobs captures this nicely:

Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it’s worth it in the end because once you get there, you can move mountains.

Getting to ‘simple’ is not supposed to be easy, but the rewards are there for anyone willing to risk the journey. The blog post I previously mentioned talks more about my journey and gives examples of how my approach to threat modeling aligns with the properties of simplicity.

Hopefully, by casting threat modeling through the lens of simplicity and digging into what simple means in the context of threat modeling, I’ve given you a fresh perspective from which to view your own threat modeling approach, and a way for you to navigate your own journey to making your threat modeling “simpler” and more scalable.

CURATED CONTENT

Handpicked for you

Toreon Blog: How to Choose a Threat Modeling Training That Actually Works

Evaluating potential cybersecurity threats of advanced AI

For security-minded architects or professionals like yourself, the challenge isn’t convincing leadership that training is necessary. The challenge is finding training that doesn’t waste time, fits real-world systems, and actually empowers teams to do threat modeling—independently, consistently, and effectively.

In this blog, we walk through the key criteria you need to evaluate before investing in a threat modeling training. Whether you’re scaling a security program or rolling out secure-by-design development across teams, this guide will help you make the right choice.

Google DeepMind has developed a framework to assess how advanced AI could potentially be used to enhance cyberattacks, analyzing over 12,000 real-world attack attempts to understand potential risks and vulnerabilities.

Securing AI with Secure by Design Practices

How are your teams really using LLMs, and are you effectively training and empowering them to secure output from these models?

Watch this video with two AI and compliance experts, as we navigate common security questions for Artificial Intelligence. The session was facilitated by Claire Allen-Addy, Head of Product Marketing at IriusRisk, and included insights from Sebastien Deleersnyder and Brandon Green, Senior Solution Architect at IriusRisk.

TIPS & TRICKS

Data-flow diagrams explained

Discover how Data-Flow Diagrams (DFDs) simplify complex systems by visually mapping out how data moves through a process. Whether you’re a developer or a stakeholder, DFDs offer an easy-to-understand blueprint of system inputs, outputs, and workflows—without the noise of decision logic. Learn how leveling and decomposition techniques reveal both the big picture and the fine details of any system.

Our trainings & events for 2025

Book a seat in our upcoming trainings & events

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by NorthSec, Montreal

10-11 May 2025

Hands-on Threat Modeling AI (NEW TRAINING), in-person, hosted by OWASP Global AppSec, Barcelona

27-28 May 2025

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat USA, Las Vegas

2-5 August 2025

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by NorthSec, Montreal

10-11 May 2025

Hands-on Threat Modeling AI, in-person, hosted by OWASP Global AppSec, Barcelona

27-28 May 2025

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat USA, Las Vegas

2-5 August 2025

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 18 August 2025

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, OWASP Global AppSec, Washington DC

4-5 November 2025

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, OWASP Global AppSec, Washington DC

4-5 November 2025

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 18 August 2025

Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.