Module 14: Threat Modelling & Threat Landscape

You cannot manage risk you don't understand.
You cannot understand risk if you ignore the threat environment.

Threat modeling and threat landscape are about structured anticipation.

CRISC does not expect you to memorize attack frameworks.

It expects you to understand how threats connect to business exposure.

What the exam is really testing

When threat modeling or threat landscape appears, CRISC is testing whether you can:

• Identify relevant threat sources
• Evaluate exposure pathways
• Consider internal and external threats
• Align threat awareness to risk identification
• Recognize environmental changes that alter risk

This is about structured thinking — not cybersecurity trivia.

Threat landscape vs threat modeling

You must distinguish these clearly.

Threat landscape

The overall threat environment affecting the organization.

Includes:

• External attackers
• Insider threats
• Supply chain risks
• Regulatory shifts
• Geopolitical instability
• Industry-specific attack trends

The threat landscape answers:

“What kinds of threats exist in our environment?”

It is broad and contextual.

Threat modeling

A structured process to:

• Identify potential threats
• Analyze system vulnerabilities
• Evaluate attack pathways
• Prioritize risks

Threat modeling answers:

“How could threats exploit our specific systems or processes?”

It is targeted and analytical.

The most common exam mistake

Candidates confuse:

• A threat source
• A vulnerability
• A risk event
• A control gap

Example:

“Outdated software” is not a threat.

“Cybercriminal” is a threat source.

“Exploitation of outdated software leading to data exposure” is the risk event.

CRISC expects you to separate them cleanly.

Threat sources

CRISC typically categorizes threats as:

• Internal (employees, contractors)
• External (hackers, competitors, organized crime)
• Environmental (natural disasters)
• Technological (system failure)
• Third-party (vendors, partners)

If a scenario focuses only on external attackers, you may be missing insider risk.

CRISC likes balanced evaluation.

When threat landscape changes

If a question describes:

• New geopolitical conflict
• New regulatory climate
• Industry-specific targeting
• Increased ransomware activity
• Major supply chain disruption

CRISC often expects:

Reassessment of risk exposure in light of evolving threat landscape.

Not immediate control deployment.

Threat landscape shifts require evaluation.

Threat modeling process (practical view)

CRISC does not require naming STRIDE or other formal models.

But it expects that threat modeling includes:

1. Identify assets
2. Identify threat sources
3. Identify vulnerabilities
4. Determine possible attack paths
5. Assess potential impact
6. Prioritize risk

If modeling is informal or inconsistent, governance maturity is low.

Example scenario (walk through it)

Scenario:
An organization plans to migrate sensitive customer data to a cloud provider. The industry has recently experienced a rise in ransomware attacks targeting cloud environments.

What is the MOST appropriate action?

A. Immediately implement additional encryption
B. Perform threat modeling focused on cloud-specific attack vectors
C. Escalate to regulators
D. Delay migration indefinitely

Correct answer:

B. Perform threat modeling focused on cloud-specific attack vectors

Why?

The threat landscape has changed.
Governance requires structured risk identification before implementation.

Environmental threat scenario

Scenario:
A company operating in a politically unstable region experiences increased cyber attacks linked to geopolitical tensions.

What should occur FIRST?

A. Implement new firewalls
B. Increase monitoring frequency
C. Reassess risk exposure considering the evolving threat landscape
D. Terminate operations immediately

Correct answer:

C. Reassess risk exposure considering the evolving threat landscape

Threat landscape shift → reassess exposure.

CRISC prefers structured evaluation.

Trap answers

When threat landscape shifts, these are often wrong:

• Deploy new tools immediately
• Ignore environmental change
• Focus on one threat source only
• Assume internal risk is minimal

CRISC prefers balanced, structured threat evaluation.

Threat modeling and governance

Threat modeling must align with:

• Business objectives
• Asset classification
• Risk appetite
• ERM framework

If threat modeling occurs without governance alignment, risk prioritization may be flawed.

Threat modeling is not a technical exercise alone.

It supports enterprise decision-making.

Slightly uncomfortable scenario

An organization has strong perimeter security but has not evaluated insider threat risk. Several employees have broad privileged access without monitoring.

What is the MOST significant governance weakness?

A. Weak firewall configuration
B. Incomplete threat modeling scope
C. Excessive encryption
D. Poor vendor management

Correct answer:

B. Incomplete threat modeling scope

The threat model ignored insider risk.

CRISC tests for blind spots.

Quick knowledge check

1) A rise in ransomware attacks in the industry represents what?

A. Risk event
B. Contributing condition
C. Change in threat landscape
D. Control failure

2) Identifying how attackers could exploit a specific application is part of:

A. Risk appetite definition
B. Threat modeling
C. Risk aggregation
D. Compliance assessment

3) Ignoring insider threats while focusing solely on external attackers indicates:

A. Strong ERM
B. Narrow threat modeling
C. Excessive risk tolerance
D. Weak asset classification

Final takeaway

When threat modeling or threat landscape appears:

• Distinguish threat from vulnerability from risk event.
• Consider internal and external sources.
• Reassess exposure when the environment changes.
• Align modeling with governance and risk appetite.
• Fix blind spots before deploying tools.

CRISC rewards structured anticipation — not reactive defense.