Threat modelling and agile software development: Identified practice in four Norwegian organisations

Threat modelling is considered a key activity in secure software engineering. However, despite its documented benefits it has not (yet) been widely adopted by agile software development projects. In this paper we present results from a qualitative study of how it is performed in practice by four different organisations. The findings show that, even though they all consider threat modelling to lead to a more secure product, they all struggle with practical aspects of the established theory.