Simple Step-by-Step Guide to Threat Modeling

One of our most popular white papers was written 2 years ago. It detailed the methodology we at Promenade Software use to threat model the systems we develop. With only minor adjustments, we still use that methodology for our submissions today, under the new FDA guidance.

There are several different modeling techniques available. The Threat Model used at Promenade is an Asset-Oriented Risk Assessment Approach from AAMI TIR57, Principles for Medical Device Security - Risk Management. After reviewing other approaches that were designed for commercial applications or IT systems, we chose this methodology for its direct applicability for medical devices and its clear, systematic approach. This methodology’s strength is in identifying which assets are at the highest risk and need immediate attention, allowing for a prioritized approach to security measures. If used well it provides comprehensive coverage of the system, ensuring that all critical assets are considered, reducing the likelihood of overlooking important components.

Below (Figure 1) is a diagram of the threat modeling and risk assessment process we will discuss.

Threat Modeling Workflow

Step 1. Create Your Asset Inventory

Our first step is to identify the assets of the system. Assets are basically anything with value needed to use the device for its intended purpose and to keep the device operating safely and securely. Examples of assets include patient data, configuration parameters, treatment parameters, the operating system, software image, and stored authentication and cryptographic credentials (passwords, certificates, tokens, and keys). Assets also include physical resources, such as the network, device memory, and I/O. Assets should also include the broader use environment, such as an HDO (Health Delivery Organization) network. We want to make sure a device vulnerability is not used as the attack vector on the HDO network.

Step 2. Assess the Impact

Rate the adverse impact due to compromise of the assets’:

  1. Confidentiality (eg. patient data is exposed)
  2. Integrity (eg. patient data is altered)
  3. Availability (eg. patient data is deleted or inaccessible)

We use a rating score of 1-9 (negligible-critical) for the impact. This value will be part of the risk priority calculation in step 5.

Step 3. Identify the Vulnerabilities

For each Asset, identify the potential Vulnerabilities (source of attack) that could be used to compromise the Asset. Potential vulnerabilities include your communications interfaces, bugs, known vulnerabilities in third party software, users, debug interfaces, tools used in deployment (etc.). Vulnerabilities should be considered in the context of the use environment, the supply chain, deployment process, and maintenance and update activities. For example, if online tools are used for the build, what vulnerabilities could exist there? If the user environment is inherently hostile (eg. hospital networks), assume that an attacker could control the network.

Step 4. Analyze the Threats & Rate the Threat Likelihood

Determine the Threat. Document the scenario by which the asset is compromised and the resultant threat. Then, to rate the threat likelihood, we use a combination of the skill level required of an attacker, and the ease of discovery and exploitation. The threat actor skill level is rated from state actors with almost unlimited resources (1) to actors with limited knowledge who just use what is freely available (9). We rate the Ease of Discovery from practically impossible (1) to automated (9) and Ease of Exploit from theoretical (1) to automated (9). The mean of these values determines the likelihood.

Step 5: Calculate the risk

To calculate risk, we multiply Impact by Threat Likelihood to get a Risk Priority Number (RPN). The tables below (Figures 2 and 3) determine the acceptability of the risk.

Risk Acceptability Criteria
Risk Assessment Chart

This process is used pre- and post-mitigation (after a control is applied) as part of the Risk Assessment.


This asset-oriented threat model can create a structured and effective approach to securing our clients’ critical assets, ensuring a strong and resilient security framework.

Need help? Promenade Software can help you through this and other Cybersecurity regulatory documentation. We provide templates and consulting to guide you through the process.

Need help on this topic?
Contact Us
Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science and following with Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.  

Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

linkedin logo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485, and CypherMed Cloud is SOC2 Type II certified.