3. Threat modeling (STRIDE, PASTA, LINDDUN)

Threat modeling is one of the most critical—and most misunderstood—disciplines in cybersecurity. While many practitioners associate it primarily with application security or software design, threat modeling is fundamentally a risk analysis activity. It provides a structured, repeatable way to identify how systems can be attacked, what assets are at risk, and which threats matter most in a given business and operational context.

In modern cyber risk management, threat modeling acts as the bridge between abstract risk frameworks and technical reality. Quantitative risk assessment methods such as FAIR require a clear understanding of threat scenarios, attack paths, and control weaknesses. Without threat modeling, risk assessments become speculative and disconnected from real attacker behavior.

This chapter introduces three widely used threat modeling frameworks—STRIDE, PASTA, and LINDDUN—and explains how they support cyber risk management, incident response readiness, forensic analysis, and strategic decision-making.

Threat Modeling in the Context of Cyber Risk

At its core, threat modeling answers four essential questions:

• What are we building or protecting?

• What can go wrong?

• How likely is it to happen?

• What are we going to do about it?

From a risk management perspective, threat modeling is not about predicting exact attacks, but about systematically reducing uncertainty. It identifies credible threat scenarios that can later be analyzed probabilistically, quantified financially, and prioritized for mitigation.

Threat modeling also creates a shared language between:

• Security engineers

• Developers

• Risk analysts

• Incident responders

• Business stakeholders

This shared understanding is critical in large organizations where security decisions must scale across teams and systems.

Relationship Between Threat Modeling and Incident Response

Threat modeling is deeply informed by real-world incidents. Lessons learned from incident response, forensic investigations, and malware analysis provide empirical evidence about:

• How attackers actually behave

• Which attack vectors are most effective

• Where detection and response fail

Conversely, threat modeling improves incident response by:

• Identifying likely attack paths in advance

• Informing detection use cases

• Supporting tabletop exercises and contingency planning

Organizations that treat threat modeling as a purely theoretical exercise often fail to capture this feedback loop.

Overview of Major Threat Modeling Frameworks

While many threat modeling approaches exist, STRIDE, PASTA, and LINDDUN represent three distinct philosophies:

• STRIDE: A system-centric, taxonomy-driven approach

• PASTA: A risk-driven, attacker-focused methodology

• LINDDUN: A privacy-centric threat modeling framework

Each framework serves different objectives and should be selected based on organizational needs, system context, and regulatory requirements.

STRIDE: A System-Centric Threat Classification Model

- Origins and Purpose

STRIDE was originally developed by Microsoft as a way to systematically identify security threats during software design. It focuses on categorizing threats based on violations of core security properties.

STRIDE is especially effective for:

• Early-stage system design

• Architecture reviews

• Secure software development lifecycle (SSDLC)

- The STRIDE Categories Explained

STRIDE is an acronym representing six threat classes:

• Spoofing: Impersonating identities

• Tampering: Unauthorized modification of data or code

• Repudiation: Denying actions without accountability

• Information Disclosure: Unauthorized access to sensitive data

• Denial of Service: Disrupting system availability

• Elevation of Privilege: Gaining unauthorized capabilities

Each category maps directly to security objectives such as authentication, integrity, confidentiality, availability, and authorization.

- Applying STRIDE in Practice

STRIDE is typically applied to:

• Data flow diagrams (DFDs)

• Trust boundaries

• System components

For each component and data flow, analysts systematically ask how each STRIDE threat could manifest. This approach ensures broad coverage but does not inherently prioritize threats based on business impact.

- Strengths and Limitations of STRIDE

Strengths:

• Simple and easy to teach

• Works well for beginners

• Encourages comprehensive coverage

Limitations:

• Lacks built-in risk prioritization

• Can generate large volumes of low-impact threats

• Less aligned with attacker motivation

STRIDE is best used as a foundational threat identification tool, not a standalone risk management solution.

PASTA: Process for Attack Simulation and Threat Analysis

- Risk-Driven Philosophy

PASTA was designed explicitly to align threat modeling with business risk management. Unlike STRIDE, which focuses on threat categories, PASTA emphasizes:

• Business objectives

• Attackers’ goals

• Real-world attack scenarios

PASTA is particularly well-suited for organizations performing quantitative risk analysis and executive-level reporting.

- The Seven Stages of PASTA

PASTA follows a structured, multi-stage process:

1. Define Business Objectives

2. Define Technical Scope

3. Application Decomposition

4. Threat Analysis

5. Vulnerability Analysis

6. Attack Modeling and Simulation

7. Risk and Impact Analysis

Each stage builds progressively from business context to technical detail and ultimately to risk quantification.

- PASTA and Quantitative Risk Assessment

PASTA integrates naturally with FAIR by:

• Defining threat event frequency

• Identifying loss event scenarios

• Supporting probabilistic modeling

Attack simulations in PASTA help analysts estimate likelihood and impact using evidence rather than assumptions.

- Strengths and Limitations of PASTA

Strengths:

• Strong business alignment

• Supports quantitative analysis

• Focuses on attacker behavior

Limitations:

• More complex and resource-intensive

• Requires cross-functional collaboration

• Steeper learning curve for beginners

PASTA is most effective in mature organizations with established risk management processes.

LINDDUN: Privacy-Focused Threat Modeling

- Privacy as a Risk Domain

With increasing regulatory pressure and public concern over data misuse, privacy risk has become a central component of cyber risk management. LINDDUN addresses this need by focusing explicitly on privacy threats.

- The LINDDUN Threat Categories

LINDDUN stands for:

• Linkability

• Identifiability

• Non-repudiation

• Detectability

• Information Disclosure

• Unawareness

• Non-compliance

These categories align with privacy principles found in regulations such as GDPR and data protection standards.

- Applying LINDDUN in Practice

LINDDUN is often applied to:

• Data processing workflows

• Personal data flows

• Privacy impact assessments (PIAs)

It is especially relevant for systems handling sensitive personal or behavioral data.

- Strengths and Limitations of LINDDUN

Strengths:

• Explicit privacy focus

• Regulatory alignment

• Complements security threat modeling

Limitations:

• Narrower scope than STRIDE or PASTA

• Requires privacy expertise

• Less focused on traditional cyber attacks

LINDDUN should be used alongside, not instead of, security-focused models.

Integrating Threat Modeling with Malware and Forensics Insights

Threat modeling becomes significantly more accurate when informed by:

• Malware reverse engineering findings

• Memory forensics

• Post-incident root cause analysis

For example, forensic evidence may reveal persistence mechanisms or lateral movement techniques that were not previously considered in threat models.

Threat Modeling and Contingency Planning

Threat modeling supports contingency planning as outlined in NIST SP 800-34 by:

• Identifying critical failure scenarios

• Supporting recovery strategy design

• Informing business impact analysis

This ensures that continuity plans are aligned with realistic threat scenarios rather than hypothetical disasters.

Mapping Threat Models to Risk Frameworks

Threat modeling outputs feed directly into:

• FAIR risk scenarios

• Probabilistic risk models

• Control effectiveness assessments

Without well-defined threat scenarios, quantitative risk assessments lack credibility.

Common Pitfalls in Threat Modeling

Organizations often struggle with:

• Treating threat modeling as a one-time activity

• Over-focusing on technical detail

• Failing to involve business stakeholders

• Ignoring attacker economics and incentives

Effective threat modeling is iterative, collaborative, and evidence-driven.

Teaching Threat Modeling to Beginners

For students and newcomers, threat modeling builds critical skills:

• Structured thinking

• System analysis

• Adversarial reasoning

• Risk-based prioritization

Starting with STRIDE and progressively introducing PASTA and LINDDUN provides a natural learning progression.

Threat Modeling as a Strategic Capability

In mature organizations, threat modeling evolves from a technical exercise into a strategic capability that informs:

• Security architecture decisions

• Investment prioritization

• Executive risk reporting

• Regulatory compliance

Future Trends in Threat Modeling

Emerging developments include:

• Automated threat modeling tools

• Integration with CI/CD pipelines

• AI-assisted attack path analysis

• Continuous threat model updates

These trends will further embed threat modeling into daily security operations.

Threat Modeling as the Foundation of Cyber Risk Intelligence

Threat modeling is not merely about identifying vulnerabilities—it is about understanding adversarial risk in context. Frameworks such as STRIDE, PASTA, and LINDDUN each offer valuable perspectives, and their combined use enables organizations to move from reactive security to proactive, risk-informed decision-making.

For cybersecurity professionals, mastering threat modeling represents a critical step toward becoming effective risk analysts, security architects, and strategic advisors in an increasingly complex digital world.