Threat Tree Templates to Ease Difficulties in Threat Modeling

Threat trees are notable tools in the security analysis process called "threat modeling"\´. The trees are used to identify how and under what condition threats can be realized, which will help proper estimation of risks and planning of countermeasures. However, it is difficult for an average analyst to construct adequate trees, because security expertise, particularly from an attacker\´s perspective, is required to find potential attack scenarios. In this paper, we propose threat tree templates to help non-expert analysts to construct threat trees. Each template is a redundant threat tree, loaded with branches representing many possible attack scenarios, as well as typical examples of corresponding vulnerabilities and countermeasures against such attacks. We also propose a keyword system for the templates, designed to filter out irrelevant scenarios.