Threat modeling: The STRIDE model

Image of someone walking - Destination Certification

Your organization will have many assets, each of which faces a variety of threats. With limited security resources to dispense, you have to be careful about where you allocate them. Ultimately, you want to be able to mitigate the most likely and severe threats. But before you can take steps to limit threats, you have to identify them first.

The STRIDE model was created by Microsoft as a way to systematically identify and categorize threats that could impact its products. The model has since come to be used widely across the industry. STRIDE is an acronym that stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

If we analyze our systems according to the STRIDE model, it can help us to find threats during the design process. We should consider how our systems could be vulnerable in each threat category. This enables us to come up with appropriate controls to mitigate the threats that are likely and could have severe impacts.


Spoofing involves an attacker circumventing authentication measures to impersonate another individual or entity. It can give them unauthorized access to data and systems. One common example is email address spoofing, where an attacker spoofs their email address to make it look like it comes from a legitimate organization, such as the target’s bank.


Tampering is a process that impacts the integrity of data. If there are insufficient protections in place, an attacker may be able to modify data in a way that causes harm. A common example involves an attacker creating malware and presenting it as legitimate software. We often use tools like hashing and digital signatures to verify whether data has been tampered with or if it maintains its integrity.


Repudiation means the ability to deny something, such as denying your responsibility for taking an action or sending a message. As an example, if an internal threat can take down the company website and plausibly deny—repudiate—that they were responsible, then this makes it easy for them to get away with their malicious activity. If a system allows repudiation, it makes it impossible to prove who is guilty of an action. This also means that there is less of a deterrent against malicious activity. If someone thinks they will easily be able to get away with a destructive action, they may be more likely to engage in it.

In security, we often want the property of non-repudiation, which basically means that we don’t want individuals to be able to plausibly deny their actions. Techniques for implementing non-repudiation include digital signatures, as well as not allowing shared user accounts.

Information disclosure

Information disclosure is a breach of confidentiality. There are many different causes of information disclosure, from insecure access controls to forgetting to encrypt an email that contains sensitive information. We use algorithms like the Advanced Encryption Standard (AES) to turn our sensitive data into ciphertext that keeps it protected. As long as the key used to encrypt the data isn’t exposed to unauthorized parties, then the information will remain confidential.

Denial of service

Denial of service (DoS) impacts the availability of a resource or service. DoS can be especially damaging if it impacts a mission-critical system that grinds the business to a halt. Every minute that a major ecommerce site is unavailable could result in the loss of millions of dollars. To maximize availability, organizations often design their systems with failover architecture.

Elevation of privilege

Elevation of privilege allows someone to access resources that they should be prevented from accessing. It involves compromising authorization mechanisms. One example involves an attacker gaining a foothold in an organization, and then slowly working their way up to gain access to privileged resources. We can use design approaches like zero trust architecture (ZTA) to mitigate elevation of privilege.

Going beyond threat identification and categorization

The STRIDE model can be used in conjunction with the DREAD model, another model developed by Microsoft. DREAD can be used to analyze aspects like the potential damage from a threat, how many users it will affect, and how easy a potential attack is to reproduce. By analyzing a threat according to the DREAD model, you will end up with a numerical rating. You can then list all of the threats by this rating and prioritize mitigating threats with the highest number.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]