I get real satisfaction out of running threat modelling workshops because after the session I can almost immediately see the results in the changes that get made in design and overhearing some of the conversations had around the security controls our applications need to have in place *before* we build them.
I start threat modelling workshops by leading a discussion about what the term vulnerability actually means, stealing the definition from google:
"The quality or state of being exposed to the possibility of being attacked or harmed".
By that definition vulnerability is being exposed and there is only a unqualified potential of being attacked.
The key point to note to the class is usually an attacker needs to gain something from attacking you. It might be financial gain, something ideological or a just a display of skill and bragging rights. The question is what is their motivation? Why do this?
The exercise of threat modelling will help us learn how we might be vulnerable but also help us understand the threats in terms of who, for what reasons and to what impact an attacker of their ability could have. We can then start to make well reasoned decisions using our limited resources to best defend our people and systems.
When we come to the who part of our threat model having a set of 'security personas' to select from helps us in the exercise of thinking about the types of the people, their abilities and motivations and perhaps look at the likely approach of multiple security personas on the same vulnerability.
When tasked with thinking up some examples the class will often create security personas based on things they've seen or read about security incidents in the media or even in TV series or movies. This means initially your class might be saying we need to prepared to defend against highly skilled hackers or governments so it’s Fsociety or Mossad that are our problem.
This especially for a less technical audience with little to no infosec exposure is reasonable as while we might be security professionals who live and breathe this sort of mental exercise its likely your class does not.
You need to help people learn about the more realistic threats like, insider threats, an integrator getting compromised or the non malicious genuine mistakes made by your staff like security misconfigurations or loosing a company laptop. Once you help them get into it the range of threats the team needs to consider during threat modelling is almost always much wider then they'd probably initially considered.
Unfortunately in my experience during workshops some members of the class will tag a certain person, team, product or vendor they work with (probably not present) as a security persona as in their eyes they are to blame for the vulnerabilities they know about and thus a called out as a threat. This is toxic and from the very outset I make it clear its unacceptable to do this in the workshop.
So how do I overcome these two problems? Well you need to give your workshop an engaging set of characters they can kick off great conversations with, build a story around and then invent a new set of security personas to take forward with them for the rest of the workshop.
For this I’m using sets of images of Funko pop collectible characters and asking the class questions like “Who is this?" and "Whats their skill set" and then "What are their potential motivations?" to help them imagine a story and build a security persona.
Ill give you a few examples and the kind of story we might attribute to a selection of these characters.