(Useful naming conventions and boot-strap tips aggregated from the PTA FAQ page)

By Menachem Lidor - PTA Support

1.Use a PTA sample project as a starting point

When initiating your first threat model, it may be productive to use one of the PTA sample models as a base line. Use one of the sample PTA threat models which reside in the Samples folder under the installation root folder  (C:\Program File\PTA\Samples if you have chosen the default installation value at install time).

My recommended sample is the Currency Rates threat model since it is relatively simple yet comprehensive enough to serve as a starting point. Open the sample's CurrencyRates.thm file using the File | Open PTA Project dialog. Then save the project under a new name (better do it in another dedicated working folder as well) by using the File | Save As option. It would be nice if you update the new project properties by using the Set Project Properties link from File | Project Properties.

A popular approach for a starter is to use the sample's threat model entities (assets, threats vulnerabilities etc.) as a base line for alteration, replacement and editing. Best practice is to edit the entities text fields and enter your relevant titles and descriptions instead of the existing ones. More on that is given in tip number 3.

2.Organize the relevant Risk Assessment documents

The PTA Professional Edition tool supports binding of additional unstructured information as  Attachments | Documents which are relevant to the threat analysis and risk assessment process. It is recommended that you'll organize the needed documents (security notes, standards specifications, development details, design schemes, operational workflow, relevant regulations, liability considerations, HR data etc) and put them in your new project folder from day one. The documents can be later attached to the relevant model entities and help you in validating your model parameters.

3.Syntax Naming Conventions for the Titles of the Threat Model Entities

Assets - define your assets as Nouns - they are the ones that when damaged you’ll feel the blow e.g. “The availability of the company’s Web site" (if the site is down you lose money!).

Countermeasures are mitigating activities, either corrective or preventive. That is why each countermeasure title should contain a Verb e.g. “Install and configure a firewall”.

Vulnerabilities are those static weaknesses, limitations or defects in your system that are waiting to be exploited, therefore their titles should have a Static descriptive nature e.g. “The Web server is vulnerable to access from the Internet”.

Threats are attack scenarios that exploit vulnerabilities to damage assets. From our experience when a threat is formulated in a "literary" way - a simple Story - it is more easy for non-technical audience to get the grasp of it (and approve the budget…;-). It will be nice if the potential attackers and the attack entry points will be part of the threat title e.g. “A hacker damages the company’s Web site pages by exploiting the fact that the Web server is exposed to the Internet”

4.Start with a simple Work-flow when entering your threat model entities

Keep it simple - The following recipe may look a little counter-intuitive but if you follow the data entry order it will save you grief.

a) - Define your assets.

b) - Define countermeasures.

c) - Define vulnerabilities.

d) - Assign countermeasures to each vulnerability. The associated countermeasures should be those that reduce the chances that the vulnerability will be exploited.

e) - Define threats as attack scenarios that exploit vulnerabilities to damage assets. Note that a threat in the PTA model is a specific scenario or a sequence of actions that exploits a given set of vulnerabilities (one or more) and may cause damage to a given set of the system’s assets (one or more). The important point here is that a specific threat scenario is bundled with the set of assets it threatens as well as with the set of vulnerabilities it exploits. 

Repeat the process until you're satisfied with the results.

5. Do not struggle with Assets Monetary Values, Threats Probabilities, Levels of Damage and all other quantitative parameters

Measuring the value of assets in monetary values is one of the most important issues in PTA calculative foundation. The same is true when estimating the probability that a threat will materialize (presented in PTA by the traditional ARO - Annual Rate of Occurrence parameter). Assigning monetary values and probabilities is a non-trivial educated guesswork which highly depends on the existence of historical data and on the quality of the data. This also applies to all other quantitative parameters such as Levels of Damage, Levels of Mitigation and the like, needed for the proper functioning of the PTA calculative threat modeling methods.

My tip: do not struggle with these issues on your first sessions. Since monetary values, threats' probabilities and all other parameters can be easily changed and cause the whole threat model to update automatically, you may establish the preliminary threat model by entering roughly estimated values and then refine them according to more accurate data gathered along the risk assessment feedback process.

6. Produce Reports as early as possible

Use the PTA reporting system for producing reports even at a preliminary stage of data entry and do not postpone it to later stages. Looking at the reports and analysis outputs may point your attention to difficulties in the threat model and in the interrelations between entities at an early stage of the threat model building process.