Threat Model

I. Formal Definition

A structured artefact that enumerates the assets in a system, the trust boundaries between them, the adversaries who may target the system, the likely techniques such adversaries would employ, and the controls relied upon to interrupt those techniques. A threat model is not a one-time deliverable; it is a living document that must be revised whenever the architecture, the data classes handled, or the adversary landscape changes materially. The federation requires that every Tier-1 service maintain a current threat model under UFMS-001:2.4.

II. Etymology

Emerged from the formal methods and adversarial security literature of the 1970s and 1980s; popularised in industry by the STRIDE methodology in the late 1990s.

III. Federation Usage

Federation members must produce threat models in a federation-recognised format, currently STRIDE, PASTA, or LINDDUN. A model older than twelve months without a re-affirmation note is treated as stale under MEV-Annex:3.2.

IV. Related Terms

• mitre-attack
• blast-radius
• lateral-movement
• control-evidence

V. Authoritative Citations

• UFMS-001:2.4UFMS Article II - Threat Modelling
• MEV-Annex:3.2MEV Annex III - Model Cadence

VI. Citation in BibTeX

@misc{ifo4_glossary_threat_model,
  title        = {{Threat Model}},
  author       = {{IFO4 Federation Editorial Board}},
  howpublished = {{IFO4 Federation Glossary, slug \texttt{threat-model}}},
  year         = {2026},
  url          = {https://ifo4.org/glossary/threat-model},
  note         = {Category: SecOps; key: ThreatModel}
}

VII. Challenge This Definition

Federation members and accredited practitioners may challenge any entry under TGS-002:1.7. Filed challenges are routed to the editorial board, triaged into the revision register, and resolved in writing on the public docket. The slug remains stable through any revision.