3 – Threat Modeling using ArchiMate with Open FAIR

In the previous two posts we discussed Threat Modeling with Open FAIRTM and Threat Modeling using ArchiMateTM. The natural next step is to consider how to integrate all three methods. The FAIR risk analysis example used in this section is constructed using ArchiMate. Use the ArchiMate Specification Reference Cards to understand the symbology. The risk analysis example used in this section is found in Section 2.2 of the Open FAIR Risk Analysis Example Guide. The following image depicts the FAIR Taxonomy with relevant narrative from the Example Guide.

FAIR Analysis of Cleaning Crew Scenario

Member of cleaning crew using the authentication credentials written on the sticky-note to log into the HR executive’s computer and gaining unauthorized access to the information they are intended to protect.

Each image in the following shows a portion of the FAIR Taxonomy depicted in ArchiMate. The Distribution notes display Properties contained in the Assessment (a Motivation Element – Represents an external or internal condition that motivates an organization to define its goals and implement the changes necessary to achieve them.) The Distribution values are the Minimum, Most Likely and Maximum values recorded as percent values.

Calibrate Estimates for TCap and RS
Update Estimates for RS based on Proposed Capabilities
Example of Documentation within ArchiMate

This example shows how a FAIR model can be constructed using ArchiMate. The benefit of this approach is that the FAIR model can be added to views of existing ArchiMate models developed by enterprise architects within an organization. In this way, proposed control improvements can be directly related to the components of the architecture that are being adjusted. Thus, the benefits relate to the entire enterprise architecture, not just one application as is the case with current threat modeling approaches. For example, consider the possible views:

  • Enterprise
  • Multiple application systems
  • Shared infrastructure components
  • Mapping all system related to each enterprise risk
  • Relate components to infrastructure security control requirements

Of course, this benefit cannot be realized until there is a capability with ArchiMate to perform the math associated with FAIR.

This series aimed to ensure understanding by providing Definitions – architecture, FAIR and threat modeling terms, and demonstrate threat model example using ArchiMate – diagram views, control analysis with FAIR.

Return to Introduction

4 – Leveraging Assessment Management

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s