Threat modeling at run time: the case for reflective and adaptive threat management (NIER track)

Threat modeling is an analysis activity aimed at eliciting viable and realistic security and privacy threats in the design of a software-intensive system. Threat modeling allows for a by-design approach, mitigating problems before they arise and avoiding later costly development efforts. However, it mainly pays off in software construction approaches that rely on planned architectures, in which sources of threats can be anticipated beforehand. These axiomatic assumptions are, however, increasingly untrue in contemporary software development practices in which software systems evolve drastically in later stages. In addition, software-intensive systems are increasingly faced with uncertainty in their operational contexts, and these are nearly impossible to enumerate in early development stages. In this article, we first present the idea of reflective threat modeling, which involves the automated derivation of architectural system models from run-time and operational system artifacts, providing the threat modeler with an accurate and workable run-time inspection view of the system. We then outline and motivate the potential of adopting threat analysis models as a basis for holistic and adaptive threat management through integration of adaptive security and privacy technologies. This will enable systems to autonomously respond to emerging threats by dynamically activating dedicated controls or via run-time reconfiguration.