Expressive and Systematic Risk Assessments with Instance-Centric Threat Models

A threat modeling exercise involves systematically assessing the likelihood and potential impact of diverse threat scenarios. As threat modeling approaches and tools act at the level of a software architecture or design (e.g., a data flow diagram), they consider threat scenarios at the level of classes or types of system elements. More fine-grained analyses in terms of concrete instances of these elements are typically not conducted explicitly nor rigorously. This hinders (i) expressiveness, as threats that require articulation at the level of instances can not be expressed nor managed properly, and (ii) systematic risk calculation, as risk cannot be expressed and estimated with respect to instance-level properties. In this paper, we present a novel threat modeling approach that acts on two layers: (i) the design layer defines the classes and entity types in the system, and (ii) the instance layer models concrete instances and their properties. This, in turn, allows both rough risk estimates at the design-level, and more precise ones at the instance-level. Motivated by a connected vehicles application, we present the key challenges, the modeling approach and a tool prototype. The presented approach is a key enabler for more continuous and frequent threat (re-)assessment, the integration of threat analysis models in CI/CD pipelines and agile development environments on the one hand (development perspective), and in risk management approaches at run-time (operations perspective).