Assets: What We're Protecting

At the heart of every threat modeling exercise lies the identification of assets—the valuable elements within your system that require protection. Assets aren't limited to obvious targets like databases full of customer information. They encompass anything of value that could be compromised, damaged, or misused by an attacker. Understanding what constitutes an asset in your specific context forms the foundation for all subsequent threat modeling activities.

Data assets typically receive the most attention, and for good reason. Customer personally identifiable information (PII), payment card data, intellectual property, and business-critical information represent prime targets for attackers. However, data classification goes beyond simple categories. Consider a seemingly innocuous customer preference database. While individual preferences might seem low-value, aggregated data could reveal business strategies or enable sophisticated social engineering attacks.

System assets include the infrastructure and applications that process, store, and transmit data. These encompass servers, network devices, applications, and cloud services. A compromised web server might not directly expose sensitive data but could serve as a launching point for deeper attacks. Similarly, development and testing environments, often overlooked in security assessments, frequently contain production data or credentials that provide pathways to critical systems.

Intangible assets deserve equal consideration. Your organization's reputation, customer trust, and operational capability represent assets that cyberattacks can severely damage. A denial-of-service attack might not steal data but could cripple operations and erode customer confidence. Threat modeling must account for these less tangible but equally critical assets to provide comprehensive protection.