How can Threat Risk Assessments can be performed along with Threat Modelling?

Am researching on how Threat Risk Assessments can be performed along with Threat Modelling. How can you integrate Threat Modelling (TM) as part of your Risk Assessment (RA) process?

Especially interested in a NIST/ ISO27k based Threat Risk Assessment that would include Threat modeling. Would be great to hear experiences on traditional vs. agile project scenarios addressed. Am counting on the responses from experienced Risk & Security practitioners.

What I have done in my research so far:

  • I have tried playing around with threat modeler and MS-Threat Modeling tool, but they are not Risk Assessment tools. Interested to know how people have used a risk modeling tool/ methodology in their threat risk assessments.
  • From talking to various threat modeling vendors, the feeling I have got is their products are implemented to be embedded into the CI/CD pipeline for development shops, and are ideally not used for Threat Risk Assessments for different clients/ projects, which you would do as one independent of the other.

What am I looking for:

  • My vision of the benefits to the use of a Threat Modelling tool in a TRA would be – achieving completeness or bringing that robustness into an assessment by looking at various faucets of how a threat agent would be able to exploit the vulnerabilities/ design weaknesses in the solution/ system, rather than just looking at the control families and controls and identifying missing controls in an assessment. You will see this in most of the ITRM/ GRC/ RA tools in the market.

Questions:

  1. How you integrated Threat Modelling (TM) into your Risk Assessment (RA) process?
  2. If so, how? What tools/ methodologies have you used?
  3. Would you please share any lessons learned and provide guidance that would help implement it for multiple clients.