differences between Threat Analysis and Threat Modeling

[shollatz at d.umn.edu (scott hollatz)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Hi Ken,
>
> I am currently researching the differences between Threat Analysis and
> Threat Modeling.
>
> I thought your readers on the mailing list may give me a clearer
> distinction.
>
>
>
> How I understand it is that *both* identify security threats, determine
> risk, and create the right countermeasures by analyzing various types of
> documentation about the system and looking for vulnerabilities and/or areas
> of weakness.
>
>
>
> *Threat Analysis* ? is more *informal* way of 'eyeballing' system
> architecture and application design.
> *Threat Modeling* [Microsoft SDL] ? more *formal*, every requirement is
> modeled and scrutinized.
>
> Any additional help you or your readers can provide would be appreciated.

I come from a mathematical modeling background, so my opinion may be
skewed a little, but:

        analysis leads to a model which can be used in analysis

- --
scott hollatz                                        net shollatz at d.UMn.eDu
information technology systems and services          tel +1 218 726 8851
university of minnesota duluth mn usa                fax +1 218 726 7674
                                                                          --
                                               "Asn aD ta zlAp em uT zt33rg"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (SunOS)

iD8DBQFF040Z4og1WWfEVRsRAvd2AJ9P0pjcpsbgO0SWphxvL2PRTAaEYwCfeo6Z
AqFy9OLNnUbd5DOYRcwKaws=
=RyHS
-----END PGP SIGNATURE-----