Threat modeling involves systematically assessing the likelihood and potential impact of diverse security threat scenarios. Existing threat modeling approaches and tools act at the level of a software architecture or design (e.g., a data flow diagram), at the level of abstract system elements. These approaches, however, do not allow more in-depth analysis that takes into account concrete
... [Show full abstract] instances and configurations of these elements. This lack of expressiveness—as threats that require articulation at the level of instances cannot be expressed nor managed properly—hinders systematic risk calculation—as risks cannot be expressed and estimated in terms of instance-level properties. In this paper, we present a novel threat modeling approach that supports modeling complex systems at two distinct levels: (i) the design model defines the classes and entity types in the system, and (ii) the instance model specifies concrete instances and their properties. This innovation allows systematically calculating broader risk estimates at the design level, yet also performing more refined analysis in terms of more precise risk values at the instance level. Moreover, the ability to assess instance-level risks serves as an enabler for run-time continuous threat and risk (re-)assessment, and risk-adaptive security in general. We evaluate this approach in a prototype and through simulation of the dynamics of a realistic IoT-based system, a smart traffic application that involves vehicles and other infrastructural elements such as smart traffic lights. In these efforts, we demonstrate the practical feasibility of the approach, and we quantify the performance cost of maintaining a threat model at run-time, taking into account the time to perform risk assessment.