Towards Security Threats that Matter

  • Katja TumaEmail author
  • Riccardo Scandariato
  • Mathias Widman
  • Christian Sandberg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10683)


Architectural threat analysis is a pillar of security by design and is routinely performed in companies. STRIDE is a well-known technique that is predominantly used to this aim. This technique aims towards maximizing completeness of discovered threats and leads to discovering a large number of threats. Many of them are eventually ranked with the lowest importance during the prioritization process, which takes place after the threat elicitation. While low-priority threats are often ignored later on, the analyst has spent significant time in eliciting them, which is highly inefficient. Experience in large companies shows that there is a shortage of security experts, which have limited time when analyzing architectural designs. Therefore, there is a need for a more efficient use of the allocated resources. This paper attempts to mitigate the problem by introducing a novel approach consisting of a risk-first, end-to-end asset analysis. Our approach enriches the architectural model used during the threat analysis, with a particular focus on representing security assumptions and constraints about the solution space. This richer set of information is leveraged during the architectural threat analysis in order to apply the necessary abstractions, which result in a lower number of significant threats. We illustrate our approach by applying it on an architecture originating from the automotive industry.


Architectural threat analysis Security assets STRIDE 



This research was partially supported by the Swedish VINNOVA FFI project “HoliSec: Holistic Approach to Improve Data Security”.


  1. 1.
    Connected vehicle reference implementation architecture. Accessed 25 Aug 2017
  2. 2.
    E-safety vehicle intrusion protected applications. Accessed 25 Nov 2016
  3. 3.
    Heavens: Healing vulnerabilities to enhance software security and safety. Accessed 25 Nov 2016
  4. 4.
    Holisec: Holistiskt angreppssätt att förbättra datasäkerhet. Accessed 14 June 2017
  5. 5.
    Almorsy, M., Grundy, J., Ibrahim, A.S.: Automated software architecture security risk analysis using formalized signatures. In: Proceedings of the 2013 International Conference on Software Engineering, pp. 662–671. IEEE Press (2013)Google Scholar
  6. 6.
    Berger, B.J., Sohr, K., Koschke, R.: Automatically extracting threats from extended data flow diagrams. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 56–71. Springer, Cham (2016). CrossRefGoogle Scholar
  7. 7.
    Howard, M., Lipner, S.: The Security Development Lifecycle, vol. 8. Microsoft Press, Redmond (2006)Google Scholar
  8. 8.
    van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society, Washington, DC (2004).
  9. 9.
    Lin, L., Nuseibeh, B., Ince, D., Jackson, M.: Using abuse frames to bound the scope of security problems. In: Proceedings 12th IEEE International Requirements Engineering Conference, pp. 354–355. IEEE (2004)Google Scholar
  10. 10.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Heidelberg (2010)zbMATHGoogle Scholar
  11. 11.
    Macher, G., Armengaud, E., Brenner, E., Kreiner, C.: A Review of threat analysis and risk assessment methods in the automotive context. In: Skavhaug, A., Guiochet, J., Bitsch, F. (eds.) SAFECOMP 2016. LNCS, vol. 9922, pp. 130–141. Springer, Cham (2016). CrossRefGoogle Scholar
  12. 12.
    Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: Sahara: a security-aware hazard and risk analysis method. In: 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 621–624. IEEE (2015)Google Scholar
  13. 13.
    McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: Proceedings 15th Annual Computer Security Applications Conference, (ACSAC 1999), pp. 55–64. IEEE (1999)Google Scholar
  14. 14.
    Rauter, T., Kajtazovic, N., Kreiner, C.: Asset-centric security risk assessment of software components. In: 2nd International Workshop on MILS: Architecture and Assurance for Secure Systems (2016)Google Scholar
  15. 15.
    Saini, V., Duan, Q., Paruchuri, V.: Threat modeling using attack trees. J. Comput. Sci. Coll. 23(4), 124–131 (2008)Google Scholar
  16. 16.
    Saitta, P., Larcom, B., Eddington, M.: Trike v. 1 methodology document [draft] (2005).
  17. 17.
    Scandariato, R., Walden, J., Joosen, W.: Static analysis versus penetration testing: a controlled experiment. In: 2013 IEEE 24th International Symposium on Software Reliability Engineering (ISSRE), pp. 451–460. IEEE (2013)Google Scholar
  18. 18.
    Scandariato, R., Wuyts, K., Joosen, W.: A descriptive study of Microsoft’s threat modeling technique. Requir. Eng. 20, 163–180 (2015)CrossRefGoogle Scholar
  19. 19.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12) (1999)Google Scholar
  20. 20.
    Shostack, A.: Threat Modeling: Designing for Security. Wiley, Indianapolis (2014)Google Scholar
  21. 21.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005). CrossRefGoogle Scholar
  22. 22.
    Tøndel, I.A., Jensen, J., Røstad, L.: Combining misuse cases with attack trees and security activity models. In: International Conference on Availability, Reliability, and Security, ARES 2010, pp. 438–445. IEEE (2010)Google Scholar
  23. 23.
    UcedaVelez, T., Morana, M.M.: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. Wiley, Hoboken (2015)CrossRefGoogle Scholar
  24. 24.
    Van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software, vol. 10. Wiley, Chichester (2009)Google Scholar
  25. 25.
    Wuyts, K., Scandariato, R., Joosen, W.: Empirical evaluation of a privacy-focused threat modeling methodology. J. Syst. Softw. 96, 122–138 (2014)CrossRefGoogle Scholar
  26. 26.
    Yu, H., Lin, C.W.: Security concerns for automotive communication and software architecture. In: 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 600–603. IEEE (2016)Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Katja Tuma
    • 1
    Email author
  • Riccardo Scandariato
    • 1
  • Mathias Widman
    • 2
  • Christian Sandberg
    • 3
  1. 1.University of GothenburgGothenburgSweden
  2. 2.Wireless CarGothenburgSweden
  3. 3.Volvo ABGothenburgSweden

Personalised recommendations