After the videos on threat modeling an example seems in order. Securology provides us with a good one in Selecting a Pistol Safe as (part of) the basis of a procurement decision. This is his set of requirements:
So, I needed a way to „securely“ (that’s always a nebulous word) store a firearm– namely a pistol– such that it could meet the following criteria:
- Keep children’s and other family members‘ hands off of the firearm
- Stored in, on, or near a nightstand
- Easily opened by authorized people under stress
- Easily opened by authorized people in the dark
- Not susceptible to power failures
- Not susceptible to being „dropped open“
- Not susceptible to being pried open
- Not opened by „something you have“ (authentication with a key) because the spouse is horrible at leaving keys everywhere.
- For sale at a reasonable cost
- An adversary should not know (hear) when the safe was opened by an authorized person
But I didn’t care a lot about the ability to keep a dedicated thief from stealing the entire safe with or without the firearm inside.
Read on at Securology to see how various products fail to fulfill this set of requirements. This example is illustrative in that it addresses several distinct threat aspects and tradeoffs. The pistol is not simply an asset needing protection, it is also by itself a security mechanism against certain threats. The resulting optimization problem is pretty interesting: keeping (some) unauthorized people from accessing the pistol while maintaining availability to the authorized in a practical sense.