Organisation’s information security threat analysis and modelling based on a universal canvas

Abstract

Security of data and information is key to the viability of an organisation. With the digitalisation of the economy, business entities need to evolve towards more effective protection of their information systems. Threat modelling helps organisations understand potential threats to information and business systems, and develop specific measures to prevent or eliminate threats. The authors review the main components of threat modelling as well as analyse and identify the shortcomings of the most commonly used modelling methods. The article proposes the author’s method based on the threat modelling canvas, that allows to eliminate the identified shortcomings. The authors have also developed and approbated an approach to teaching the use of this method.

Author Biographies

Ulad A. Makarevich, Belarusian State University, 4 Niezaliežnasci Avenue, Minsk 220030, Belarus

senior lecturer at the department of digital economics, faculty of economics

Katsiaryna A. Miniukovich, Belarusian State University, 4 Niezaliežnasci Avenue, Minsk 220030, Belarus

PhD (economics), docent; associate professor at the department of digital economics, faculty of economics

Konstantin S. Mulyarchik, Belarusian State University, 4 Niezaliežnasci Avenue, Minsk 220030, Belarus

PhD (engineering), docent; associate professor at the department of telecommunications and information technologies, faculty of radiophysics and computer technologies

References

  1. Parenty TJ, Domet JJ. Leader’s guide to cybersecurity: Why boards need to lead — and how to do it. Boston: Harvard Business Review Press; 2019. 240 p.
  2. Makarevich UA, Miniukovich KA, Mulyarchik KS. Information security issues in the organisation of remote work of employees. Current issues of science in the 21st century [Internet]. 2020 [cited 2021 January 10];9:12–16. Available from: http://library. miu.by/journals!/item.science-xxi/issue.9/article.2.html. Russian.
  3. UcedaVelez T, Morana MM. Risk centric threat modelling: process for attack simulation and threat analysis. Hoboken: John Wiley & Sons; 2015. 696 p.
  4. Shostack A. Threat modelling: designing for security. Hoboken: John Wiley & Sons; 2014. 624 p.
  5. Jaatun MG, Bernsmed K, Cruzes DS. Threat modelling in agile software development. In: Felderer M, Scandariato R, editors. Exploring security in software architecture and design. Hershey: IGI Global; 2019. p. 1–14. DOI: 10.4018/978-1-5225-6313-6.ch001.
  6. Makarevich UA. Ethical hacking and social engineering. In: Berlinskaya SG, editor. Sbornik rabot 73-i nauchnoi konferentsii studentov i aspirantov Belorusskogo gosudarstvennogo universiteta; 16–25 maya 2016 g.; Minsk, Belarus’. Chast’ 2 [Collection of works of 73rd scientific conferences of students and postgraduates of the Belarusian State University; 2016 May 16–25; Minsk, Belarus. Part 2]. Minsk: Belarusian State University; 2016. p. 121–125.
  7. Jouini M, Rabai LBA. Threats classification: state of the art. In: Handbook of research on modern cryptographic solutions for computer and cyber security. Hershey: IGI Global; 2016. p. 368–392. DOI: 10.4018/978-1-5225-0105-3.ch016.
  8. Hernan S, Lambert S, Ostwald T. Uncover security design flaws using the STRIDE approach. MSDN Magazine [Internet]. 2006 [cited 2021 January 10]. Available from: https://docs.microsoft.com/en-us/archive/msdn-magazine/2006/november/uncover-securitydesign-flaws-using-the-stride-approach.
  9. Schneier B. Attack trees. In: Schneier B. Secrets and lies: digital security in a networked world. Hoboken: John Wiley & Sons; 2015. p. 318–333. DOI: 10.1002/9781119183631.ch21.
  10. Krishnan S. A hybrid approach to threat modelling [Internet] 2017. [cited 2021 January 10]. Available from: https://www.researchgate.net/publication/320183133_A_Hybrid_Approach_to_Threat_Modelling_A_Hybrid_Approach_to_Threat_Modelling. DOI: 10.13140/RG.2.2.33303.88486.
Published
2021-07-30
Keywords: information security, threat modelling, threat analysis, threat modelling canvas
How to Cite
Makarevich, U. A., Miniukovich, K. A., & Mulyarchik, K. S. (2021). Organisation’s information security threat analysis and modelling based on a universal canvas. Journal of the Belarusian State University. Economics, 1, 57-68. Retrieved from https://journals.bsu.by/index.php/economy/article/view/3715
Issue
No 1 (2021): Journal of the Belarusian State University. Economics
Section
M. Business Administration • Business Economics • Marketing • Accounting • Perso

Copyright (c) 2021 Journal of the Belarusian State University. Economics

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

The authors who are published in this journal agree to the following:

  1. The authors retain copyright on the work and provide the journal with the right of first publication of the work on condition of license Creative Commons Attribution-NonCommercial. 4.0 International (CC BY-NC 4.0).
  2. The authors retain the right to enter into certain contractual agreements relating to the non-exclusive distribution of the published version of the work (e.g. post it on the institutional repository, publication in the book), with the reference to its original publication in this journal.
  3. The authors have the right to post their work on the Internet (e.g. on the institutional store or personal website) prior to and during the review process, conducted by the journal, as this may lead to a productive discussion and a large number of references to this work. (See The Effect of Open Access.)