Information Security is failing to defend our assets because we’ve been distracted by possible risks (unknown unknowns) and are wasting resources as a result. Even experts perform little better than random chance at prediction, so we need to stop trying to prevent what we can’t predict. By focusing on threats, (known unknowns) we can adapt our defenses to the likely attacks, and more efficiently reduce our risk exposure.
Research conducted by the Secret Service demonstrated that while malicious threats don’t fit a common profile, they exhibit common attack behaviors. The Verizon DBIR will be used to show how security incident data can be used to build a model of attackers based on their behaviors, which can be used to design more effective defenses, and adapt over time as threats change tactics. Behavioral threat models can help focus our limited resources, determine which controls work (some for the right reasons, some not), which controls don’t, and maximize the value of your security investment.
Past and current threat modeling approaches, including STRIDE, will be discussed and compared to Behavioral Threat Modeling.
- Current research on targeted and insider threats
- Effectively model threats by systematically documenting threat behaviors
- Use threat models to evaluate the effectiveness of security designs
About John Benninghoff

JOHN BENNINGHOFF is a long-time student and practitioner of managing information risk. He currently leads the Application Security team at Express Scripts, integrating security into the company’s emerging DevOps practice through better quality engineering. His 20-year career in Information Security includes diverse experience in in financial services, retail, and government: building a Network IDS and a vulnerability management platform using open-source software, leading security incident response, identity and access management, policy & standards, security architecture, and many compliance initiatives. He is currently pursuing a Masters of Science in Managing Risk and Systems Change at the School of Psychology of Trinity College Dublin (online), with the goal of adapting safety science to information technology in the emerging field of resilience engineering.