Skip to content

Definitions

In this phase, users can define all relevant assets and associated damage scenarios for the system model by clicking the ADM button on the left side of the Definitions window. Additionally, users can provide details on assumptions by navigating to the AS section on the left side of the page. The risk matrix chart can also be customized to meet specific needs; users can access this by selecting the RM page on the left side of the Definitions window.

Assets and Damage Scenarios

Assets refer to valuable resources or components within a system that are essential for its operation or functionality. In the context of cybersecurity, assets can include data, hardware, software, networks, and other critical elements in the system that need to be protected from any kind of malicious activities. On the other hand, they are also valuable targets to be attacked by hackers. Therefore, assets in threat modeling are essential to describe critical elements in the system. Once a cyber attack takes place, a potential situation or event could lead to harm, loss, or compromise of the asset itself, which is described in the damage scenario.

ThreatGet's latest versions describe both on the model level, where all modeled diagrams within a particular model share all defined assets and damage scenarios. Each asset could have a relation with damage scenarios to define the consequences of a particular damage due to cyber incidents, which can be defined through an Asset - Damage Scenario Matrix. On the Definitions page, the user can access assets and damage scenarios by clicking the ADM button on the left side of the page.

Assets

Let’s begin by creating assets. Start by defining three assets: Data Communication Lamp request, Data Communication Oncomming Car Information, and Firmware of Body Control ECU. These assets will be used in the modeling of the Headlamp Example in the section Managing and Creating Diagrams. To add an asset, click on the green + button on the Asset side to begin defining the necessary information for the asset you want to create. New Assets

Afterward, empty fields includes name, descprion, and security attributes (e.g., Confidentiality, Integrity, and Availability) will appear on the right side of the window, asking for more details about the required asset. Once all required information is filled, press the Save button to store the created asset as part of the current ThreatGet model.

List of all Assets

Damage Scenarios

Now we can define the damage scenario for the previously created assets, which can define the impact category and level in case a cyber attack happens. To do so, press the green + button on the Damage Scenarios section. We created three damage scenarios: Front Collision, Malfunctioning Automatic High Beam, and Vehicle Cannot be Driven at Night, with all necessary information, including Name, Description, Impact Category, and the Relationship with asset(s).

List of all Damage Scenarios

The level of impacts varies from low (i.e., Negligible) to critical (i.e., Severe), indicating the severity of the damage. Additionally, the impact category should be defined to describe the potential consequences against a particular category, including S: Safety, F: Functional, O: Operational, and P: Privacy.

Asset - Damage Scenario Matrix

Once all assets and damage scenarios are defined, ThreatGet will display them as a matrix description, and now the user can define which damage scenario(s) can be assigned to particular asset(s).

New Assets

Assets and Damage Scenrios on the Project level

The previously discussed steps for creating assets and associated damage scenarios are part of modeling a particular system model. However, ThreatGet also provides a global definition of assets and damage scenarios that can be applied at the project level, allowing all sub-models to share the same assets, damage scenarios, and their relationships. Users can define these at the project level by selecting the Asset - Damage Scenario Matrix button.

Asset and Damage Scenarios

A page displaying a matrix of assets, damage scenarios, and their relationships will appear, following the same steps outlined for creating them at the model level. Users can follow these steps to create assets, define related damage scenarios, and establish the associated relationships.

!!! info "💡 Tip" Once the process is complete, and the user has created assets, defined damage scenarios, and established relationships among them, these assets can be utilized across any sub-models, even if those models do not contain assets of their own.

Assumptions

Users can define customized assumptions to be used as part of the system model. This can be done in the definition phase by switching to the assumptions view, accessed by clicking AS on the left side of the page in the definition phase.

Assumption

The user can add any specific assumption as needed by entering the title of the assumption in the empty field and then pressing the Add button.

Add Assumption

All recently added assumptions, as well as any previously created ones (if any exist), are listed in the open window.

List of Assumption

Risk Matrix

The evaluation of risks for each detected threat is primarily based on the risk chart, which displays the distribution of risk levels according to likelihood and impact values. Users can check the risk level by switching to RM on the left side of the Definitions window.

Risk Matrix

The user can adjust the distribution of likelihood and impact across the risk matrix to align with specific requirements, tailoring it to reflect their risk assessment strategy. This customization allows the user to better model and evaluate risks based on the unique characteristics and priorities of their system. Once the user has made changes, they should press the green save button to apply and retain these updated values for future risk evaluation actions.

Updated Risk Matrix