"Threat Modelling, Enterprise Information Security

Architecture"
Name – Sayan Das

Roll no - 14400121013

Subject code – PEC-CS 702E

Subject Name – Cyber Security

Academic Session – 2024 - 2025

Department - Computer Science and

Engineering

College name - Neotia Institute of

Technology, Management & Science
(144)

Abstract- This report provides a simplified overview of threat Threat Modelling is a step-by-step way to find and rank
modelling and enterprise information security architecture. It potential dangers to a system.
explains how organizations can identify potential threats, design It helps us understand where problems could happen and
secure systems, and safeguard their data. Threat modelling helps how to fix them before they cause damage.
businesses predict security risks, while enterprise information
security architecture (EISA) defines the structure and policies
needed to protect an organization's information assets. The paper B. Importance of Threat Modelling
covers key principles, techniques, and best practices in easy-to-
understand language. Threat modelling is important because it helps in:

Keywords—Threat Modelling, Information Security, 1) Identifying Risks Early: It allows you to spot potential
Enterprise Architecture, Security Framework, Risk Management, security issues early in the design phase.
Cyber security.
2) Improving Security: By understanding threats, you can
build stronger defenses.
I. INTRODUCTION
The fast growth In today's digital world, organizations 3) Saving Costs: Fixing issues early is cheaper than
face constant cybersecurity challenges. As data and systems dealing with security breaches later.
grow, so do the potential security threats. Threat modelling
helps identify these risks and find ways to mitigate them 4) Ensuring Compliance: Many industries have
before they cause damage. It is a proactive approach that regulations that require security measures, and threat
involves predicting possible attacks and planning defenses modelling helps meet those requirements.
in advance.
Enterprise Information Security Architecture
III. STEPS IN THREAT MODELLING
(EISA) ensures that security strategies are embedded into
the overall structure of an organization's IT systems. By The process of threat modelling typically involves the
creating a well-planned security architecture, organizations following steps:
can manage security risks more effectively. This report
breaks down these concepts into easy-to-understand steps
and terms, outlining the importance of both threat modeling
and EISA in modern cybersecurity.

II. THREAT MODELLING

A. What is Threat Modelling?
Threat modeling is the process of identifying,
evaluating, and prioritizing potential security threats that
may target an organization’s information systems.

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE

A. Identify Assets V. IMPORTANCE OF EISA
Understand what you are trying to protect (like data, A. Comprehensive Security
applications, or networks).
EISA ensures that all parts of an organization’s IT
B. Identify Threats environment are secure, not just individual components.
Think about what could go wrong. Who might try to B. Alignment with Business Goals
attack the system, and how?
It helps in aligning security strategies with business
C. Determine Vulnerabilities objectives.
Look for weaknesses in the system that could be C. Consistent Approach
exploited.
EISA provides a consistent way to handle security
D. Assess Risks: across the entire organization.
Figure out the impact of the threats and how likely they D. Reduces Risk
are to occur.
Puts security at the center of how the business operates,
E. Mitigation reducing chances of problems.
Develop strategies to reduce or eliminate the identified E. Supports Compliance
risks.
Helps the company follow rules and regulations.

IV. ENTERPRISE INFORMATION SECURITY

ARCHITECTURE (EISA)
A. What is EISA?
Enterprise Information Security Architecture (EISA) is a
framework that provides a structured approach to managing
and securing an organization's IT systems. It covers
everything from policies and standards to technical controls
and procedures.

VI. THE RELATIONSHIP BETWEEN THREAT MODELLING

AND EISA
While threat modeling focuses on identifying and
mitigating security threats, EISA provides the structured
framework to apply the findings of threat modeling across
B. Components of EISA
an organization. Together, they help create a robust defense
1) Security policies: Guidelines and rules to ensure secure system where security is integrated into every aspect of the
operations. IT environment. This combination ensures that
organizations can anticipate, prevent, and respond to threats
2) Security standards: Technical specifications that must in an organized and efficient way.
be followed to secure systems.
VII. SECURITY ARCHITECTURE
3) Security technology: Tools like firewalls, encryption, Security architecture within EISA refers to the design
and intrusion detection systems used to defend the and implementation of security measures that protect an
organization. organization's IT environment. It includes:
A. Policies and Standards
4) Access control: Methods to ensure that only authorized
users can access sensitive systems and data. Guidelines that dictate how security should be
managed.
5) Risk Management: Ways to find and deal with risks to
keep the business safe.
B. Technical Controls
Security tools and technologies like firewalls,
encryption, and access controls.

C. Procedures
The specific steps to follow to ensure security.
 ACKNOWLEDGMENT
I would like to express my sincere gratitude to all
those who have supported and contributed to the completion
of this report on "Threat Modelling, Enterprise Information
Security Architecture".

I extend my heartfelt thanks to my mentors and

educators Suman Halder sir who provided guidance and
insights throughout the research and writing process. Their
valuable input has greatly enriched the content and structure
of this report.

I also want to acknowledge the resources,

textbooks, and academic materials that have served as
essential references, allowing me to delve into the subject
matter and present accurate information.
VIII. THREAT MODELLING ON EISA
Applying threat modelling to EISA involves assessing REFERENCES
the entire architecture to identify potential threats and
vulnerabilities. This helps in: 1. A. Shostack, Threat Modeling: Designing for
Security, Germany:Wiley, 2014.
A. Strengthening Defenses 2. B. Bokan and Santos &, "Managing Cybersecurity
By identifying weak points in the architecture and Risk Using Threat Based Methodology for
Evaluation of Cybersecurity Architectures",
reinforcing them. Systems and Information Engineering Design
Symposium (SIEDS), pp. 1-6, 2021.
3. S. Kaplan and B. J. Garrick, "On the Quantitative
B. Ensuring Comprehensive Protection Definition of Risk", Society for Risk Analysis, pp.
11-27, 1981.
Making sure that all aspects of the IT environment are 4. N. Miller, With More Than 1200 Cybersecurity
secure. Vendors in the Industry How Do You Stand Out?,
May 2018.
IX. CHALLENGES 5. Gartner Magic Quadrant & Critical Capabilities,
May 2020.
Some challenges in threat modelling and EISA include:
6. J. D. Weiss, "A System Security Engineering
A. Complexity Process", 14th National Computer Security
Conference - Information Systems Security:
Large organizations have complex IT environments, Requirements and Practices, 1991.
making threat modelling and EISA difficult. 7. B. Schneier, C. Salter, S. Saydjari and J. Wallner,
"Toward a secure system engineering
methodology", 7th New Security Paradigms
Workshop Proceedings, 1999.
B. Resource Constraints 8. N. Shevchenko, Threat Modeling: 12 Available
Methods, December 2018.
It requires time, money, and skilled personnel, which 9. L. Kohnfelder and P. Garg, The threats to our
may not always be available. products, April 1999.
10. S. Hernan, S. Lambert, T. Ostwald and A. Shostack,
"Uncover Security Design Flaws Using The
C. Keeping Up with Changes STRIDE Approach", MSDN Magazine - The
Microsoft Journal for Developers, 2006.
As technology evolves, the architecture and threats 11. PASTA Threat Modeling, December 2020.
change, requiring continuous updates to the security 12. Gov Cybersecurity Architecture Review (.govCAR)
measures. Methodology, Washington, 2018.
13. Adversarial Tactics Techniques and Common
Knowledge (ATT&CK), February 2019.
14. NSA/CSS Technical Cyber Threat Framework v2,
CONCLUSION Washington:National Security Agency, 2018.
15. Risk Management Framework for Information
Threat modelling and EISA are essential practices Systems and Organizations - A system Life Cycle
Approach for Security and Privacy NIST SP 800–
for protecting an organization’s IT environment. By 37 Revision 2, Gaithersburg, 2018.
identifying and addressing potential threats early, 16. Security and Privacy Controls for Information
organizations can build stronger defenses, save costs, and Systems and Organizations NIST Special
ensure compliance with regulations. Although there are Publication 800–53 Revision 5, Gaithersburg, 2020.
challenges, the benefits of a secure and well-structured IT 17. Framework for Improving Critical Infrastructure
environment are well worth the effort. Cybersecurity Version 1.1, Gaithersburg, 2018.