Identifying Assets in Your System

With your diagram complete, systematically identify assets within your system. Start with the obvious data assets. In our e-commerce example, these include customer personal information, payment card data, order history, and product inventory. For an employee directory, assets might include employee contact information, organizational structure data, and potentially sensitive internal phone numbers or email addresses.

Look beyond data to system assets. The web server's availability might be critical for business operations. The integrity of your application code prevents unauthorized modifications. Authentication mechanisms protect against unauthorized access. Each component in your diagram potentially represents an asset requiring protection. Consider both direct value and potential misuse—a compromised web server might not store valuable data but could launch attacks against other systems.

Don't forget intangible assets. Customer trust, regulatory compliance, and business reputation all require protection. A breach that exposes no sensitive data but takes your service offline during peak business hours could still cause significant damage. Document these assets alongside technical ones to ensure comprehensive threat consideration.

Prioritize your assets based on their value and sensitivity. Not all assets require equal protection. Payment card data likely needs stronger controls than public product descriptions. This prioritization helps focus your threat modeling efforts on the most critical areas and guides security investment decisions. Create a simple ranking system—high, medium, low—based on the potential impact of asset compromise.