The security development lifecycle, including threat modeling, is a concept described by Microsoft around 2006 in a book of that title. While use of the threat modeling technique typicall produces recommended improvements to the code and supporting infrastructure, it lacks the means of providing financial justification for the sometimes significant cost for making improvements. It is notable that nobody owns the threat modeling technique, so evolution is likely occuring down various paths.
This series of posts explores threat modeling as it could relate to standard methodologies published by The Open Group. The goal:
Improving Justification for Mitigations identified by Threat Modeling