└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | # Shostack's Four Question Frame for Threat Modeling 
 2 | 
 3 | 
 4 | 1. **What are we working on?**
 5 | 2. **What can go wrong?**
 6 | 3. **What are we going to do about it?**
 7 | 4. **Did we do a good job?**
 8 | 
 9 | These questions are designed to help people build better systems. They work less well for end-users of technology. There's a [60 second video](https://youtu.be/Yt0PhyEdZXU) that introduces the questions. 
10 | 
11 | The questions have evolved since they were listed in *Threat Modeling Designing for Security*. The changes include:
12 | * We has replaced you, to be inclusive and collaborative
13 | * "are" has replaced "should" in question 3, to be more focused on action
14 | * Simplified the wording.
15 | * I'll regularly ask "did we do a good enough job?" The goal is not to do a good job at threat modeling, but to drive improvement to a system.
16 | * "Working on" has replaced "building."
17 | 
18 | # In the real world
19 | 
20 | The Four Question Framework is widely adopted. Examples include:
21 | 
22 | * [How Google Does it: Threat modeling, from basics to AI](https://cloud.google.com/transform/how-google-does-it-threat-modeling-from-basics-to-ai)
23 | * [Threat modeling your generative AI workload to evaluate security risk](https://aws.amazon.com/blogs/security/threat-modeling-your-generative-ai-workload-to-evaluate-security-risk/) (AWS Security blog)
24 | * [CMS Threat Modeling Handbook](https://security.cms.gov/learn/cms-threat-modeling-handbook) from the US Government Centers for Medicare and Medicaid Services
25 | 
26 | 
27 | ## Nuances
28 | People will sometimes phrase the first question "what are we _building_" rather than _working on_. The "building" frame draws people towards a waterfall approach with the attendant problems.
29 | 
30 | In the Threat Modeling Manifesto, the team had a preference for adding the word "enough" to the 4th question: did we do a good *enough* job? I appreciate the lessened pressure, and miss the aspiration, and so keep the terse form here.
31 | 
32 | The logic behind the questions as they now stand is laid out in a 2024 whitepaper, "Understanding the Four Question Framework for Threat Modeling" at [shostack.org/whitepapers/](https://shostack.org/whitepapers)
33 | 
34 | ### Legalese, citating.
35 | 
36 | I'm told some lawyers have been concerned about quoting a complete thing, and asserted that it pushes at the limits of fair use to use all 23 of these words as a unit. If you need a license, please treat it as CC-BY. Please call it "Shostack's Four Question Frame for Threat Modeling," or "Shostack's Four Question Framework." 
37 | 
38 | If you want the earliest form that's appropriate for a computer science citation, *Threat Modeling: Designing for Security*. 
39 | MLA formatted cite is: Shostack, Adam. *Threat Modeling: Designing For Security*. John Wiley & Sons, 2014.
40 | 
41 | If you want to refer to the current form, the whitepaper is best.
42 | 
43 | 
44 | 
45 | 


--------------------------------------------------------------------------------