The threat-modeling framework helps you generate a list of threats and ways to reduce risk, but it doesn't prioritize them for you.

It also doesn't recommend layered security controls based on their type and function, which makes it harder to decide which controls to implement.

Prioritizing issues

Deciding the priority of issues is an important piece of threat modeling. It helps you to distribute resources to the most critical issues with your limited resources.

Examples include:

  • Having to choose between implementing a feature to log all administrative actions or using SSL/TLS to encrypt traffic
  • Deciding whether to implement access-control lists or strengthen the input validation process for your system first

When to prioritize

Assign a priority to each issue according to its risk factor. Also, select security controls that work in conjunction with others to help provide a layered security-protection mechanism for your system.

This process can take some time. It'll also require assistance from your colleagues and security team. Save enough time to work with them.

Learning objectives

In this module, you'll be able to:

  • Assign priorities to issues.
  • Categorize security controls.
  • Understand each security control type and function.


  • None