“Better OKRs Through Threat Modeling”

The words “OKRs in threat modeling”

Abhay Bhargav has a really excellent post on Better OKRs for Security through Effective Threat Modeling. I really like how he doesn’t complain about the communication issues between security and management, but offers up a concrete suggestion for improvement.

Key quote: “Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are not only in great tactical shape, but also help define a strategic roadmap for your AppSec Program.”

I like the post so much that I have only a small amount to add. I think we could benefit by sharing sample OKRs around either threat modeling, the four questions, or smaller deliverables.

I am not a master of the OKR form, but some simple examples might include:

  • Increase assurance that we’re making the right security investments by having current threat model documents for 95% of our apps and operational environments. (Where current is some time metric related to velocity) or

Ideally, these would be anonymized versions of real OKRs, possibly with history. (For example, “I started by asking for one of each STRIDE test cases, but there was strong pushback because we concentrate our model of repudiation in our support use cases.”)

--

--

Generally blogging at adam.shostack.org/blog, but shared posts here before Medium asked me to jump through more and more hoops..

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Shostack

Generally blogging at adam.shostack.org/blog, but shared posts here before Medium asked me to jump through more and more hoops..