The Quality Extension library provides a tool to evaluate the quality of the Threat Model from various perspectives. You need to install this Extension library separately from the Threats Manager Studio (TMS), from Downloads.
This tool is available from the Review ribbon, through the Quality Dashboard button.
The Quality Dashboard button opens a view tool showing an overall evaluation of the situation. This overall evaluation is based on 27 different quality parameters, provided out of the box. Additional Quality Analyzers will be provided in the future and may be included with other Extension libraries. The SDK allows you to create your own Quality Analyzers.
|Default Name Objects||Objects with a default name should be considered a mistake because they do not allow to understand their meaning.|
|No Name Objects||Objects with no name should be considered a mistake because they do not allow to understand their meaning.|
|Same Name Objects||Objects with the same name make more difficult to understand the model and thus shall be avoided.|
|Isolated Identities||An Entity cannot be isolated. Add Flows to connect it to other Entities.|
|Partially Connected Data Stores||Data Stores should both be used to save and read data. Please check the Flow Type for the incoming Flows.|
|Data Store as a Source for Flows||Data Stores cannot be used as a Source for Flows. This typically points to a missing Process.|
|Flow between Data Stores||Flows between Data Stores must be avoided: a Process between them is in order.|
|Flow between External Interactors||Flows between External Interactors must be avoided, because they are out of scope.|
|Diagrams missing Trust Boundaries||Diagrams should have Trust Boundaries, but occasionally they may be not necessary.|
|Flow Missing Trust Boundary||Flows between an External Interactor and a Process or Data Store must cross a Trust Boundary.|
|Redundant Trust Boundary||Nested Trust Boundaries may be redundant and should be avoided.|
|Equivalent Entities||Entities are Equivalent if they have the same Threats and Mitigations, and they are associated to equivalent Flows. Equivalent Entities should be avoided because they complicate the Threat Model unnecessarily. |
Note: Scenarios are not considered.
|Loops||Loops between two Entities should be avoided, but in some situation may be necessary. Consider the possibility to use Flow Type to assign the required semantics.|
|Too Complex Diagrams||Diagrams with too many objects are not easily understood and shall be avoided.|
|Not in Any Diagram||Objects should be present in at least a Diagram.|
|Diagrams Missing Processes||Diagrams must have Processes, otherwise they would miss components to process information.|
|Diagrams Missing External Interactors||Diagrams should have External Interactors, but occasionally they may be not necessary.|
|Diagrams Missing Data Stores||Diagrams should have Data Stores, but occasionally they may be not necessary.|
|Missing Threat Events||Most Entities and Flows should have at least an associated Threat Event.|
|Single Threat Event||On average, Entities and Flows should have more than only one associated Threat Event. The analyzer takes in account only the objects with at least a Threat Event.|
|Missing Mitigations||All Threat Events should have at least an associated Mitigation.|
|Single Mitigation||On average, Threat Events should have more than only one associated Mitigation. The analyzer takes in account only the Threat Events with at least a Mitigation.|
|Not Enough Control Types||On average, Threat Events should have associated Mitigations belonging to multiple Control Types. The analyzer takes in account only the Threat Events with more than a Mitigation.|
|Unchanged Severities||Threat Events with one or more Mitigations marked as Existing or Implemented should have an adjusted Severity.|
|Unbalanced Severities||Severities assigned to Threat Events should be Balanced. The typical percentage for balanced Threat Models, are:|
– Critical: 0-15%
– High: 10-30%
– Medium: 20-70%
– Low: 10-50%
– Info: 0-30%
|Undefined Mitigations||No Mitigation should be in Undefined Status.|
|Missing Documentation||On average, most objects in the Threat Model should be documented. The analyzer does not take in account Threat Type, Threat Events or Mitigations.|
The Quality Dashboard provides the following buttons in its ribbon:
- Generate PDF Report, to generate a report of the current status as PDF file.
- Generate Excel Report, to generate a Microsoft Excel XLSX file with the current status.
- False Positive List, to show the list of False Positives.
If you open the context menu on most findings in the list provided by the Quality Analyzers, by clicking the right mouse button, you will see the Set False Positive command. If you click it, you will be asked to provide a reason and then to confirm the request to mark the finding as a false positive.
- Refresh List allows to recalculate the Quality Dashboard. It is useful after a change to the Threat Model occurs, because the Quality Dashboard does not automatically update with changes to the Threat Model.