Execution Mode visibility.

The Quality Extension library provides a tool to evaluate the quality of the Threat Model from various perspectives. You need to install this Extension library separately from the Threats Manager Studio (TMS), from Downloads.

This tool is available from the Review ribbon, through the Quality Dashboard button.

The Quality Dashboard tool

The Quality Dashboard button opens a view tool showing an overall evaluation of the situation. This overall evaluation is based on 27 different quality parameters, provided out of the box. Additional Quality Analyzers will be provided in the future and may be included with other Extension libraries. The SDK allows you to create your own Quality Analyzers.

Default Name ObjectsObjects with a default name should be considered a mistake because they do not allow to understand their meaning.
No Name ObjectsObjects with no name should be considered a mistake because they do not allow to understand their meaning.
Same Name ObjectsObjects with the same name make more difficult to understand the model and thus shall be avoided.
Isolated IdentitiesAn Entity cannot be isolated. Add Flows to connect it to other Entities.
Partially Connected Data StoresData Stores should both be used to save and read data. Please check the Flow Type for the incoming Flows.
Data Store as a Source for FlowsData Stores cannot be used as a Source for Flows. This typically points to a missing Process.
Flow between Data StoresFlows between Data Stores must be avoided: a Process between them is in order.
Flow between External InteractorsFlows between External Interactors must be avoided, because they are out of scope.
Diagrams missing Trust BoundariesDiagrams should have Trust Boundaries, but occasionally they may be not necessary.
Flow Missing Trust BoundaryFlows between an External Interactor and a Process or Data Store must cross a Trust Boundary.
Redundant Trust BoundaryNested Trust Boundaries may be redundant and should be avoided.
Equivalent EntitiesEntities are Equivalent if they have the same Threats and Mitigations, and they are associated to equivalent Flows. Equivalent Entities should be avoided because they complicate the Threat Model unnecessarily.
Note: Scenarios are not considered.
LoopsLoops between two Entities should be avoided, but in some situation may be necessary. Consider the possibility to use Flow Type to assign the required semantics.
Too Complex DiagramsDiagrams with too many objects are not easily understood and shall be avoided.
Not in Any DiagramObjects should be present in at least a Diagram.
Diagrams Missing ProcessesDiagrams must have Processes, otherwise they would miss components to process information.
Diagrams Missing External InteractorsDiagrams should have External Interactors, but occasionally they may be not necessary.
Diagrams Missing Data StoresDiagrams should have Data Stores, but occasionally they may be not necessary.
Missing Threat EventsMost Entities and Flows should have at least an associated Threat Event.
Single Threat EventOn average, Entities and Flows should have more than only one associated Threat Event. The analyzer takes in account only the objects with at least a Threat Event.
Missing MitigationsAll Threat Events should have at least an associated Mitigation.
Single MitigationOn average, Threat Events should have more than only one associated Mitigation. The analyzer takes in account only the Threat Events with at least a Mitigation.
Not Enough Control TypesOn average, Threat Events should have associated Mitigations belonging to multiple Control Types. The analyzer takes in account only the Threat Events with more than a Mitigation.
Unchanged SeveritiesThreat Events with one or more Mitigations marked as Existing or Implemented should have an adjusted Severity.
Unbalanced SeveritiesSeverities assigned to Threat Events should be Balanced. The typical percentage for balanced Threat Models, are:
– Critical: 0-15%
– High: 10-30%
– Medium: 20-70%
– Low: 10-50%
– Info: 0-30%
Undefined MitigationsNo Mitigation should be in Undefined Status.
Missing DocumentationOn average, most objects in the Threat Model should be documented. The analyzer does not take in account Threat Type, Threat Events or Mitigations.
The standard Quality Analyzers.

The Quality Dashboard provides the following buttons in its ribbon:

  • Generate PDF Report, to generate a report of the current status as PDF file.
  • Generate Excel Report, to generate a Microsoft Excel XLSX file with the current status.
  • False Positive List, to show the list of False Positives.
    If you open the context menu on most findings in the list provided by the Quality Analyzers, by clicking the right mouse button, you will see the Set False Positive command. If you click it, you will be asked to provide a reason and then to confirm the request to mark the finding as a false positive.
The Set False Positive command.
  • Refresh List allows to recalculate the Quality Dashboard. It is useful after a change to the Threat Model occurs, because the Quality Dashboard does not automatically update with changes to the Threat Model.

Additional capabilities

The Quality Extension Library provides additional features, besides those described here. For more information, please refer to: