Security threat modeling and analysis: A goal-oriented approach

Threat modeling provides a good foundation for the specification of security requirements during application development. When applied during the early phases of software development, threat modeling empowers developers in several ways. These range from verifying application architecture, identifying and evaluating threats, designing countermeasures, to penetration testing based on a threat model. There is however paucity of established techniques and tools for threat modeling and analysis. This paper proposes a goal-oriented approach to security threat modeling and analysis by using visual model elements to explicitly capture threat-related concepts. We introduce the notions of negative soft-goals for representing threats and inverse contributions for evaluating design alternatives during analysis, while adapting the formal semantics of the NFR Framework. An analysis procedure is also provided to guide context-sensitive selection of countermeasures. The significance of this approach derives from the strength of the underlining analysis framework. We illustrate this approach by modeling and analyzing the security threats of an online banking system.