“Better OKRs Through Threat Modeling”

Abhay Bhargav has a really excellent post on Better OKRs for Security through Effective Threat Modeling. I really like how he doesn’t complain about the communication issues between security and management, but offers up a concrete suggestion for improvement.

Key quote: “Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are not only in great tactical shape, but also help define a strategic roadmap for your AppSec Program.”

I like the post so much that I have only a small amount to add. I think we could benefit by sharing sample OKRs around either threat modeling, the four questions, or smaller deliverables.

I am not a master of the OKR form, but some simple examples might include:

  • Increase assurance that we’re making the right security investments by having current threat model documents for 95% of our apps and operational environments. (Where current is some time metric related to velocity) or
  • Improve system resilience by revisiting ‘what can go wrong’ for a system that’s led to lots of operational problems.
  • Improve defenses by adding one test case for each of STIDE per sprint to existing code for at least 75% of sprint stories.
  • Reduce security debt by 10% over Q1 by going back and creating appropriate system models for 5 of the Legacy Deployments.

Ideally, these would be anonymized versions of real OKRs, possibly with history. (For example, “I started by asking for one of each STRIDE test cases, but there was strong pushback because we concentrate our model of repudiation in our support use cases.”)

--

--

--

Generally blogging at adam.shostack.org/blog, but shared posts here before Medium asked me to jump through more and more hoops..

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Security right among born.

9 best practices for AWS Security Hub you should know

Why Document Management Software Vendors Are Helpful

How to Defeat Fake News With a Screenshot Verification Service (SVS)

A Quick Glance at OAuth 2.0

[Update] Official Wallets Related to Fees

Six Ways to Save Money for Information Security

Are you a victim of phishing and don’t know it?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Shostack

Adam Shostack

Generally blogging at adam.shostack.org/blog, but shared posts here before Medium asked me to jump through more and more hoops..

More from Medium

Alzheimer’s — From Parent to Child

Colorado Voices: April Pratt, Colorado Springs

Axelar Network, what is it, what is it for and who needs it

The Threatened Viability of Businesses and their Transcend