What's This?

This spreadsheet contains the help for the Trike threat modeling spreadsheet,
which you can find at http://www.octotrike.org/tools.shtml#spreadsheet. It was
separated from the Trike spreadsheet to improve the performance of the Trike
spreadsheet. For more information on Trike, see http://www.octotrike.org/.

Trike Version Information

Since Trike is both a methodology and a tool, it has two version numbers. The
methodology version given here is the version the Trike spreadsheet implements,
and the spreadsheet version is the version of the spreadsheet this help describes.
If the system being modeled also has a version number, it will likely appear on
the Overview tab.
Methodology Spreadsheet
1.5 1.5.07

How to Read This Spreadsheet

Tabs before the Help tab are part of the model of the system. Each tab contains a
single table of information about the system. The tab names are a table of
contents
Given thefor the model.
number of tabs, you can see that this spreadsheet contains an
enormous amount of information about the system and its security.
Consequently, most readers will only be interested in a subset of the spreadsheet.
But which
Look for thesubset?
question you'd like to answer in the "You Want to Know" column, or
select your role in the "You Are" column to see only the questions you are likely to
find interesting. Pure security questions are highlighted; the others are questions
about the system in general that happen to have security implications.
As you review the tabs you select, you will likely have additional questions about
how to interpret the data. Scroll below this table of questions to find extensive
documentation on formatting conventions and the meaning of each tab.
You Are You Want to Know Look Here
Requirements At a very high level, Intended Actions tab
Architect what is the system
Developer supposed to do?
QA
Operations
Requirements What shouldn't the Security Objectives tab
Architect system allow?
Developer
QA
Operations
Security analyst
Architect What is part of the Actors tab: select Type = Component
Developer system? Process
QA
Operations
Security analyst
Architect How do the parts Connections tab, right of the thick line
Developer connect?
QA
Operations
Security analyst
Requirements Who is supposed to Actors tab: select Favored User? =
Architect interact with the TRUE
QA system?
Operations
Business owner or Who are the attackers Actors tab: select Attacker? = TRUE
Requirements and what can they do?
Architect
Developer
QA
Operations
Security analyst
Architect What external Actors tab: select Used by System? =
QA resources does the TRUE
Operations system rely on? Data Model tab
Security analyst
Architect How does the system Use Cases tab, left of the thick dashed
Developer do what it's supposed line
QA to do?
Security analyst
Business owner or What could possibly go Threats tab
Architect wrong? Use Cases tab, right of the thick
Developer dashed line and left of the thick solid
QA line
Security analyst
Architect What security Use Cases tab, right of the rightmost
Developer protections are in thick line
QA place, and why?
Operations
Security analyst
Business owner or Can an attacker violate Use Cases tab: select Attacker
QA the security objectives? Influenced? = TRUE
Security analyst
Business owner or What other security Use Cases tab: select Mitigate? = TRUE
Architect issues need to be
Developer mitigated?
Operations
Developer What code should I Use Cases tab: select Mitigate? = TRUE
Security analyst review for security
QA issues?
What security tests Use Cases tab: select Mitigate? = TRUE
Security analyst should I write? Use Cases tab, rows with white cells in
Attacker Influenced?
Security Objectives tab

Formatting Conventions
This spreadsheet relies on formatting to convey a considerable amount of
information. In general,
- Color is meaningful. The typical meaning of colors that are used over and over
again is described next; the meaning of colors that appear on only one tab is
defined in the section on how to interpret that tab.
 - Light yellow cells are cells we recommend most people fill out.
- Light yellow cells with dots in them are cells some, but not all, people find
helpful to fill out.
- Red cells usually highlight a risky setting or decision. The exception is the
Intended Actions tab, where red cells indicate a user should not be able to take
an action.
- Black cells are usually the equivalent of a checked box that is not particularly
- White cells are usually the equivalent of an unchecked box that is not
- Greyed-out cells are not applicable.
- Comments on the column headers (in the FUTURE) briefly describe the meaning
of each column. Full descriptions of each column appear in the section on how to
interpret that tab, below.
- Tables with a Name column (e.g. Actors and Data Model) are defining things
that will be used elsewhere in The model.
- Narrow columns tend to contain binary flags, especially if the column header
ends in a question mark.
- A heavy vertical border separates columns that contain supplemental
information from the main table.
- A row in which Name has been whited out and its upper border is missing (i.e. it
looks merged) contains more information for the previous row. For example, the
following table defines two items. "Cat in the Hat" has two assistants, "Sally" has
only
Name one. Assistant
Cat in the Hat Thing One
Cat in the Hat Thing Two
Sally Fish
- A dashed line separates independent lists that apply to columns that look
merged. For example, in the following plan for a day in the Truffula forest, there
is no direct relationship between "Build prototype" and the Once-ler's 1pm
appointment with the Lorax. The only relationship between them is the Once-ler
himself. Appointment
Name Task When Who
Once-ler Build prototype 1pm Lorax
Once-ler Site factory
Lorax Listen to Swomee 10am Bar-ba-Loots
Once-ler 1pm Once-ler

Per Tab Reading Instructions

Here are the details of how to read each tab, in left to right order.

Overview
This tab contains general metadata about the system being modeled.
Column What's This? What This Affects
System Name The system name is a short string, N/A
including a system version number,
that identifies the system being
Description modeled.
The system description is usually an N/A
overview of the system's purpose,
users, and functionality.

Actors
This tab contains a summary of both the system components and the system's
immediate neighbors, including their privileges and (in the FUTURE) technology
stacks.
Column What's This? What This Affects
Name Name is a unique (among actors in this Favored user names
system) name for this actor. It should are copied (in order) to
be copied to every row on this tab that column headers on the
is about this same actor (where it will Intended Actions tab.
be whited out to look like a merged
cell). All rows with the same name
Type should be adjacent.
Type indicates what kind of actor this Actor type affects
is. Types must be defined on the Actor which actor flags and
Type Reference tab; you can find privileges columns are
information about each type there. greyed out, and (in the
FUTURE) which actions
apply to this actor
when privileges are
constructed; for the
latter, see the Actor
Type Reference tab.
Description Description defines this actor. To avoid N/A
confusion, it should contain enough
information for all stakeholders to
understand which actor is meant. For
a consistent model, all stakeholders
must agree on a single set of actors
(modulo variants; see Applicability
below).
Favored User? A user is a person (or occasionally, Favored user names
another system) who uses this system are copied (in
to perform tasks. A favored user is a alphabetical order) to
user this system deliberately intends to column headers on the
support. In practice, typically this Intended Actions tab.
means that this actor is a user role. Also affects which actor
Other kinds of users include disfavored flags and privileges
users (pure attackers), which the columns are greyed
system deliberately intends NOT to out.
support, and ignored users, who are
welcome to use the system as long as
they squeeze themselves into a
favored user role.
Authenticated? Does the system authenticate this If this actor is not (or
actor in any way? might not be)
authenticated, it is
automatically
considered to be an
attacker. Also, if an
unauthenticated
favored user is always
allowed to take an
action on the Intended
Actions tab, there will
be no elevation of
privilege threat for that
action, since the
system already intends
to let an
Attacker? Could this actor be an attacker? An unauthenticated
Attackers appearactor
in the
actor could be both a favored user (for Attacker
do this. drop-down on
tasks they are supposed to be able to the Security Objectives
do) and an attacker (for tasks that tab.
violate business rules or should require
Uses System? a
If more privileged
the favored userrole).
flag is FALSE and Affects whether the
this flag is TRUE, this actor is an authenticated column
ignored user. Ignored users should be is greyed out, and also
evaluated to determine whether they which privileges
could be attackers. columns are greyed
out.
Used by For an execution environment, whether For execution
System? any code that is part of this system environments, affects
runs here. whether the shared
For an external interactor, whether the and shared resources
system relies on/calls/uses this actor to flags are greyed out,
perform any tasks. and also which
All component processes are privileges columns are
automatically considered to be used by greyed out.
Shared? For
the an execution environment that
system. If this system runs
executes this system's code, whether code in a shared
any code that is NOT part of this execution environment,
system also runs here. bugs in that code could
affect other systems in
the shared
environment. The
Threats tab will include
threats to this effect,
so that stakeholders
can prioritize these
social responsibility
threats.
Shared For an execution environment, whether If this system runs
Resources? resources that belong to, or are also code in an execution
used by, another system are accessible environment that has
from this execution environment. access to other
systems' resources,
bugs in that code could
affect other systems in
the shared
environment. The
Threats tab will include
threats to this effect,
so that stakeholders
can prioritize these
Applicability Some systems have multiple variants, social
N/A responsibility
for example multiple usage models that threats.
have different favored users or
deployment environments, or multiple
possible architectures. Rather than
creating two separate threat models,
you may want to store these variants
together. These columns are for
naming the variants, and checking
which components and favored users
apply in each case. If you have only
one variant to model, we'd recommend
hiding the Applicability columns on all
the tabs on which they appear.
Privileges These columns constitute the These columns define
component privileges table, which parts of the privilege
describes the privileges associated with graph we (in the
this actor. Privileges are always of the FUTURE) analyze to
form action object [condition], e.g. find security flaws in
"Create Blog Entry on their own Blog". the static system
Privileges exist because data or an architecture.
execution environment exists, or They are also used as
because an actor provides (and inputs to the
therefore defines) them. component privilege
There is always one privilege per table heuristics (in the
column per row. If more than one FUTURE).
privilege is associated with an actor in
a given way, copy the whole row for
that actor and paste or insert it in an
adjacent row. Then, clear the contents
of the Description column in the 2nd
and following row for that actor, and
insert each privilege for that actor on a
separate row.
Has When it is not greyed out, this column Affects which privileges
contains the list of privileges this actor appear on the Uses
already has before it uses any other drop-down menu (in
system or component. the FUTURE).
For an actor that uses this system, this
list usually contains some privileges
that give it the ability to talk to this
system (e.g. Create an HTTP
Connection to the Blog Web Host, in
the FUTURE this will likely be implied
by the Connections tab) and some
privileges that give it the ability to
authenticate to this system (e.g. Read
User's Credentials).
For a component process, this list
usually contains eXecute Arbitrary
Code in some appropriate execution
environment.
For an attacker, this column includes
Provides the
When attacker's
they arestarting privileges
not greyed before
out, these In addition to the uses
he launches an attack.
columns contain the list of privileges mentioned for all the
this actor implements (and typically, Privileges columns, this
provides to other actors). For column is used to
example, if an actor uses the DNS define new privileges
Server to look up an IP address, the which (in the FUTURE)
DNS Server must provide a privilege appear in the drop-
like Read IP Address associated with down menus in other
Domain Name. Privileges columns.
Every privilege that an actor provides
is associated with some other
privileges, which it revokes, uses, or
requires in order to provide this
privilege. Since the actor may e.g.
require several privileges in order to
provide this one privilege, see the Help
for the Privileges column to copy this
row and store only one required
Action privilege
The verb per row, duplicating
(Create, Read, Update,the
providedeXecute,
Delete, privilege.
or conFigure) portion
of the privilege this actor is providing.
For example, in Read IP Address
associated with Domain Name, the
action is Read.

Object The object manipulated by the privilege

this actor is providing. For example, in
Read IP Address associated with
Domain Name, the object is IP
Address.
Objects are defined in the Data Model
tab.
Condition An optional condition that restricts the
privilege being provided. For
example, in Read IP Address
associated with Domain Name the
condition is associated with Domain
Name.
There should be only one unique
condition per provided privilege, and it
should be duplicated identically in
every row that describes how this actor
implements this privilege (see the Help
for the Privileges column). To make
this possible, the condition can be an
Revokes Sometimes, an actor
arbitrary Boolean revokes one
clause.
privilege as part of providing another.
E.g. sudo is setuid root, but it revokes
its root privileges before allowing a
user to run a particular command as
some other user, as defined in the
sudoers config file.
Use of this column is rare.
Uses An actor must use privileges to
implement the privileges being
provided. E.g. to implement Create
Blog Entry on their own Blog, the actor
must use privileges like (depending on
the implementation) Create Blog Entry,
Read Blog User Table, Update Blog
Entry Table, and/or Update Blog
Database.
An actor can only use privileges it has
Requires To enforce access controls (if there are
or requires. Affects which privileges
any), the actor must require its caller appear on the Uses
to have certain privileges before it will drop-down menu (in
grant access. These privileges appear the FUTURE).
in the requires column.
For example, the Entry Submission
Page would require Read User's
Credentials (which was a privilege one
of our favored users has) before it
would provide Create Blog Entry.

Data Model
This tab contains a summary of data exchanged with or manipulated by the
Column What's This? What This Affects
Name Name is a unique (among data in this Asset names are
system) name for this data. copied (in order) to
row headers on the
Intended Actions tab.
 Type Type indicates what kind of data this is. Data type affects which
Types must be defined on the Data data flags and
Type Reference tab; you can find privileges columns are
information about each type there. greyed out, and which
actions apply to this
data on the Intended
Actions tab and (in the
FUTURE) when
privileges are
Description Description defines this data. To avoid N/A
constructed.
confusion, it should contain enough
information for all stakeholders to
understand which data is meant. For a
consistent model, all stakeholders must
agree on a single data model (modulo
variants; see Applicability below).
Asset? Whether this piece of data is so Asset names are
inherent in the system that business copied (in order) to
stakeholders cannot discuss the row headers on the
purpose of the system without Intended Actions tab.
mentioning this data.
Shared? For a non-asset portion of the data If this system shares
model, whether the data belongs to or
data with another
is also used by another system. system, bugs in this
system could affect the
other system. The
Threats tab will include
threats to this effect,
so that stakeholders
can prioritize these
social responsibility
Transient? Some portions of the data model are If data is transient,
threats.
used briefly during computation or elevation of privilege
communication, and then immediately threats that affect
deleted. This data is considered persistent storage (i.e.
transient. update and delete) will
not be meaningful.
Applicability Same as for the Actors tab, except that N/A
names of variants are pulled from the
Actors tab rather than defined
separately here.
Intended Actions
This tab contains a summary of the system's business logic / functional
requirements, i.e. the new privileges the system is giving to favored users. It is
essentially an access
- Each column shows control matrix. a single favored user could take on the
all the actions
system's data assets.
- Each row shows all the actions anyone could take on a single data asset.
- At the intersection of an actor and an asset, there is a 6-cell grid showing
specific actions that this actor could take on this asset.
- The 6 atomic actions are Create, Read, Update, Delete, conFigure, and
eXecute. There is a key in the upper left of the tab to show how these actions
map to the 6-cell grid.
- The color of each cell represents whether this actor should be allowed to take
this action on this asset:
This action does not apply to this asset, based on the asset's type in the Data
(Never) The system should never let this actor take this action on this asset.
(Conditionally) The system should let this actor take this action on this asset
when certain conditions (typically documented in the cell comment) are met.
(Always) The system should always let this actor take this action on this asset.
Example:
C R X Actor
U D F Author Editor Reader
Blog er er ys er
Asset

er er er er er er
Blog Post er er
er er
- Authors are allowed to:
- Create their own Blog Posts in Blogs an Editor has invited them to post in
- Read Blog Posts in Blogs an Editor has invited them to post in
- Update their own Blog Posts
- Delete their own Blog Posts
- Editors are allowed to:
- Create Blogs
- Read, update, and delete their own Blogs
- Configure (in this case, invite Authors and authorize Reader subscriptions)
their own Blogs
- Read and delete Blog Posts to their own Blogs
- Update Blog Posts to their own Blogs, to mark them published
- Readers are allowed to:
- Read Blogs and published Blog Posts to which they have subscribed

Connections
This tab contains a summary of the connections (physical or logical) between the
actors, including the protocol stacks.
Column What's This? What This Affects
Name Name is a unique (among connections N/A
in this system) name for this
connection.

Description Description defines this connection. To N/A

avoid confusion, it should contain
enough information for all stakeholders
to understand which connection is
meant. For a consistent model, all
stakeholders must agree on a single
model of the connections in the system
(modulo variants; see Applicability
below).
Shared? Whether the connection is also used by If this system shares a
traffic that is not part of this system. connection with
another system,
In most cases, connections near the portions of the systems
top of the stack are dedicated (not are exposed to one
shared). At lower OSI levels, it is more another, and (if
likely that connections are shared. components from two
different systems share
privileges that are
required to access
other privileges) may
have access to each
other's exposed
subsystems. In this
case, it is likely this
system's responsibility
to ensure that it cannot
be used to
communicate with
another system using a
shared connection.
The Threats tab will
include threats to this
effect, so that
stakeholders can
Applicability Same as for the Actors tab, except that N/A
prioritize these social
names of variants are pulled from the
responsibility threats.
Actors tab rather than defined
From separately here.
The actor that initiates this connection. This actor has
(FUTURE) a
corresponding privilege
To The actor that accepts this connection. to initiate
This actor this
must provide
connection.
some privileges that
This version of Trike cannot model require this connection.
multi-cast network traffic. That is,
there can be only one actor listed in
the To column for a given connection.
OSI Layer The next two columns describe the N/A
named layer from the OSI model.

OSI layers are usually described from

top to bottom. See Network Layer
Reference for a description of each
layer.
Traverses At the given OSI layer, this connection Each endpoint has
traverses the named connection. (FUTURE)
There can be more than one corresponding
connection traversed at a given layer. privileges to initiate,
Usually, this means they are traversed send and receive traffic
consecutively, but it may mean the two on this connection.
underlying links are mutually exclusive This enables (FUTURE)
alternatives. attack chaining to
comprehend the
consequences of
Protocol The name of the protocol spoken on N/A
network injection
this OSI layer of this connection. attacks.

Protocols
This tab defines the protocols that are used on the connections tab.
Name Name is a unique (among protocols in This name appears on
this system) name for this protocol. the Protocols drop-
down menu on the
Description Description describes this protocol and Connections
N/A tab.
at least alludes to its known security
properties. Ideally, it would contain a
reference to the protocol specification.
Encrypted? Whether this protocol is encrypted. This information is
combined with the
specific layers in the
Connections tab to
determine what data
flows over unencrypted
connections (FUTURE).
Threats
This tab contains a summary of actions that violate the system's business rules,
at the same level of abstraction as the intended actions.
- Each column represents a type of threat: elevation of privilege, in which an
attacker takes an action that is not intended by the system business rules, and
denial of service, in which an attacker uses the system to prevent a legitimate
user from taking an action the business rules allow.
- Each row shows all the requirements level threats against a particular object
that features in the system requirements. These objects can be assets of this
system or resources shared with other systems.
- At the intersection of a type of threat and a requirements-relevant object, there
is a 6-cell grid showing specific threats that are meaningful for an attacker to
attempt against this object
- The 6 atomic actions are Create, Read, Update, Delete, conFigure, and
eXecute. There is a key in the upper left of the tab to show how these actions
map to the 6-cell grid.
- The color of each cell represents the direct business impact if an attacker
This threat is not meaningful for this object, based on the object's type or the
successfully performs the given threat on this asset:
(High) The direct business effects of this threat, should an attacker manage to
reach it, have immediate, high-value, negative consequences for the
Highorganization. The system should definitely defend against this threat.
 (Medium) The direct business effects of this threat, should an attacker manage
Med to reach it, have negative consequences for the organization.
Low (Low) The direct business effects of this threat are negligible.

Example:
C R X Threat
U D F Elevation of Privilege Denial of Service
Blog Low High Low Medium
Asset

High High Medium Medium Low High

Blog Post High High Low Medium

High High Medium Medium

User's
Process

High Medium
Shared

Browser Low Low

Web Server High High

High Medium

Other
Resources

Application
Others'

s' Data on Medium Low Low Low

Web Server

Medium Medium Low Low Low Low

A few highlights:
- The Shared Process, Others' Resources, and similar entries you may see in an
actual threat model correspond to items marked Shared on other tabs
- You can't execute data, so there are no execute threats for Blog, Blog Post, or
Other Applications' Data on Web Server
- You can only configure data containers, hardware, and execution
environments, so there are no configure threats for Blog Post or Other
Applications' Data on Web Server
- For applications such as a blog that are not directly producing revenue for a
company, it is typical for denial of service threats to have a lower business impact
than elevation of privilege threats, but revenue-producing applications typically
find denial of service for purchases to be very high impact
- When the application being modeled has higher business value than other
applications and data in the same environments, the business impact of the
threats against shared items is lower than threats to the application itself, as
shown
Security Objectives
This tab contains the system's ultimate security goals, i.e. the threats and
attackers the system intends to address.
Column What's This? What This Affects
# The security objective number is a This is used to name
unique (among objectives for this each security objective
system) identifier for this security column header on the
objective. By convention, it usually Use Case Details tab.
Initial starts with SO.
This optional column describes the This manually affects
Configuration initial configuration the system must be whether an attacker
in, for the protection and response could achieve a
listed in this objective to occur. security objective in
the Use Case Details
Attackers These are the attackers the system
tab.
should protect against. They are
selected from the attackers named in
the Actors tab.
Prohibited These are the manually selected, This manually affects
Threats requirements-level threats from the whether a variation
Threats tab that the system commits to would help an attacker
defending against. Usually, these are achieve a security
the threats with high business impact. objective in the Use
Case Details tab.
Intended This is the response the system should This manually affects
Response exhibit instead of allowing this attack. whether you need
logging and which
mitigations are
Applicability Same as for the Actors tab, except that selected.
N/A
names of variants are pulled from the
Actors tab rather than defined
Complete separately here. the contents of the
Since interpreting This is manually
Security security objective table can be summarized in the
Objective complicated, particularly, for new comment on each
readers, this column summarizes the security objective
entire security objectlve in sentence column header on the
form. It is constructed from the Use Case Details tab.
preceding columns using this sentence:

When the initial configuration holds,

the system shall not allow attackers to
take the prohibited actions. If such an
attack is attempted, the system shall
response instead.

Use Case Index

This tab contains a summary of how the system implements the intended actions.
Column What's This? What This Affects
# The use case number is a unique This sets the possible
(among use cases for this system) values for the Use Case
identifier for this use case. By # column on the Use
convention, it usually starts with UC. Case Details tab.
Name Name is a unique (among uses cases in N/A
this system) name for this use case.

Description Description defines this use case. To N/A

avoid confusion, it should contain
enough information for all stakeholders
to understand the boundaries of the
Pre-Conditions use
These case.
pre-conditions must be met for This manually affects
for Success this use case to be successful. For links between use
example, usually one would split login cases in the Next Step
into a separate use case and then put column, Choices, and
'User is logged in' in the pre-conditions Conditions on the Use
for all use cases that should only occur Case Details tab.
for an authenticated user. By
convention, different conditions usually
appear on separate lines in the same
ceil.
Post-Conditions If this use case is successful, these This manually affects
on Success post-conditions will be true afterwards. steps and conditions on
For example, a successful login use the Use Case Details
case would result in a 'User is logged tab, as well as which
in' post-condition. By convention, variations would help
different conditions usually appear on an attacker and which
separate lines in the same ceil. an attacker can
Applicability Same as for the Actors tab, except that N/A
achieve.
names of variants are pulled from the
Actors tab rather than defined
separately here.
Use Case Details
This tab contains detailed steps describing how the system implements use cases
that are likely to affect the threats in the security objectives, as well as HAZOP
analysis.
Column What's This? What This Affects
Columns to the left of the thick dashed line describe the steps the system uses to
implement the use case.
Use Case # This use case number refers to a use This sets the possible
case from the Use Case Index tab. values for the Next
Step # Taken with the use case number, this Step column.
step number is a unique identifier for
this step. By convention, it is usually
Choice numeric.
This is a condition associated with this This is the step that is
step. Usually conditions listed here are varied during HAZOP
conditions that must be met before the analysis of this row.
action can occur. For purposes of HAZOP
analysis, choices
constitute additional
conditions.

Path When multiple choices lead to a

particular step, they are constitute a
path, and are listed in separate
columns to clarify the control flow of
steps. When there are multiple
conditions, all apply. There is a limit of
five choices in a path; use cases that
require greater depth are split into
multiple use cases.
Step The step is what the system does in
this step, given this path through
Actor relevant variables.
This is the actor who performs or
initiates this step.
Action This is what the actor in this step does
to the object.
Object This is the object manipulated in this
step.
Condition This is a condition associated with this
step. Usually conditions listed here are
invariants the system will preserve, or
qualifiers on an action, rather than
conditions that must be met before the
action can occur. Multiple conditions
are listed on separate rows to clarify
HAZOP analysis of conditions. When
there are multiple conditions, all apply.
Next Step This is the step that will occur next N/A
when all the conditions in this step are
met. Most next steps are inside the
Terminal? same use case.
This Boolean indicates whether this N/A
step is the last step in the use case. If
the step is terminal, it cannot have a
next step and vice versa.
Columns between the thick dashed line and the first thick solid line are classic
HAZOP analysis, in the sense that they list meaningful variations on this step.
You can refer to this section to follow analysts' thought processes when they
considered what else might happen during this step.
Varied Element This field indicates which part of the These fields are used
step is being varied. to look up Guide Word
Guide Word This field indicates how the step is Meaning.
being varied.
Guide Word This is a generic, automatically This manually
Meaning calculated version of what it means to determines the
vary this Varied Element of this Step contents of Variation.
using this Guide Word. This column
Variation may beStep-specific
This is hidden. version of Guide N/A
Word Meaning. It is the variation that
is analyzed in the next section.
Columns between the thick solid lines contain security analysis, design flaws, and
Security Whether, if the attackers listed in this This controls whether
Objectives security objective succeeded in causing analysis continues to
Variation Would this variation, it would help them Attacker Influenced?.
Help Attacker achieve this security objective. There
Achieve is a separate column for each security
objective from the Security Objectives
Rationale for tab.
The rationale for specific values in N/A
Variation's Security Objectives Variation Would
Helpfulness to Help Attacker Achieve. Each rationale
Attacker should be tested.
Attacker Whether the attackers listed in this This controls whether
Influenced? security objective can influence analysis continues to
whether this variation occurs. Issue Criticality and
Rationale for The rationale for Attacker Influenced?. Mitigate?.
N/A
Attacker Each rationale should be tested.
Influence
Issue Criticality How critical it is to mitigate this This manually
variation, based on the security influences Mitigate?.
analysis in this section and the
business impact given on the Threats
tab.
Columns to the right of the rightmost thick solid line describe mitigations and test
Mitigate? This Boolean indicates whether the N/A
variation will be mitigated.
Mitigation A description of the suggested or N/A
planned mitigation. Each mitigation
Mitigation should tracking
Status be tested.
for the given N/A
Complete? mitigation.

Document Index
This optional tab contains a list of documents from which the information in this
model was derived. It can be used to determine later whether a given document
was consulted, and if so, what portions of it were used.
Column What's This? What This Affects
Information The type of information collected, or to N/A
be collected, from this document.
URL or File An identifier for this document, to help N/A
Name locate it.
Document Description describes the purpose and N/A
Description contents of this document. To help
find information again later, it may
contain specific section references for
Reviewed? pertinent information.
Whether this document was reviewed N/A
or otherwise used during the
construction of the model.

Development Team
This optional tab contains a list of individuals who could be or have been
consulted about this model.
Column What's This? What This Affects
Name The name of a person who knows N/A
something about the system, the
threat model, or a relevant project.
Role The role of this individual. Can be a N/A
job title, but usually the connotation is
the role of this individual in relation to
the system being modeled.
Organization The organization this individual is N/A
associated with. May be a company or
a specific department.
Email This individual's email address, in case N/A
readers have questions.
Phone This individual's telephone number, in N/A
case readers have questions.
Consulted? Whether this individual was interviewed N/A
or otherwise contacted during the
construction of the model.

Tabs after the Help tab are part of Trike. They define terms and settings that are
used in the model.

How to Use
- In general, start at the leftmost tab or column and move right.
- Leave greyed out squares empty. This includes removing the contents if a cell
becomes greyed out again in the future.
INCOMPLETE -- More coming soon.

Behind the Scenes: Care and Feeding

- If you need to extend the spreadsheet because you have more Data to analyze,
do so by copying and INSERTING (not pasting) entire rows or columns
somewhere in the middle of the formatted cells. This will ensure that you copy
and do not overwrite all the hidden formulas you need for more magic, and that
-formulas extend
Likewise, if youto cover
need to the newthe
change formatted
order ofrange.
data in the spreadsheet, cut entire
rows on the tab that defines this type of data, then INSERT the cut cells
somewhere in the middle of the formatted cells. Cutting & inserting entire
columns may or may not work, depending on context. It is more likely to work if
the hidden rows at the top of the columns in question are blank.
- Unfortunately, values stored in the intersections of the Intended Actions and
Threats tabs are not actually linked with the actors and assets they concern. The
actors and assets on these tabs are alphabetized. So, if you add or remove
assets, or rename them such that their sort order changes, the values you had
already set in the intersections are still in their old locations, i.e. the values are
now set for the wrong objects. To fix, copy entire intersections (sets of 6 cells)
from their old locations and PASTE them in the new ones. Then clear contents in
the old locations (or paste over other values).
- The data and logic that comprises the Trike threat modeling engine is distributed
throughout the spreadsheet, in the following places:
- Tabs following this Help tab
- Defined names
- Formulas in hidden cells
- The presentation layer, such as it is, is also distributed throughout the
spreadsheet, in the following places:
- Formulas in hidden cells
- Conditional formatting on cells users fill out
- Custom views
- The cells that have been hidden and greyed out using diagonal lines contain
formulas that are frequently very brittle. You are welcome to edit them, but be
aware that there are many dependencies between sheets and non-obvious things
may
- Duebreak.
to the sheer number of formulas in this spreadsheet, the highly interrelated
data being modeled, and the complexity of developing a user interface in a
spreadsheet program, it is easy to introduce performance problems. When
making changes, please refer to http://msdn.microsoft.com/en-
us/library/ff700515.aspx and the Excel speed pages at
http://www.decisionmodels.com/optspeed.htm.
Known Issues
- If you insert a new favored user or asset in the middle of the list, the Intended
Actions tab will update the names on the rows and columns, but not move your
data.
- If you make changes that change the threats, the Threats tab will update the
names on the rows, but not move your data.
- See also Care & Feeding, above, and Compatibility, below.

Compatibility
Compatibility issues are bad. Let the Trike team know when you find issues, and
we can work together to get them fixed.
Engine OS Notes
Excel 2008 Mac OS X - Original main development platform
- Extensive testing by readers and
analysts before last round of major
changes
Excel 2011 Mac OS X -- Recent
Used tomain
workdevelopment
slowly but effectively
platform
- Extensive testing by readers and
analysts
- Works slowly but effectively
- Will receive the best support in the
Excel 2007 Windows XP - Slight testing by readers before last
future
Tablet round of major changes
- Sometimes looks lousy (especially
colors)
Excel 2010 Windows XP -- Used
Slightto work slowly
testing but effectively
by readers and analysts
Tablet - Sometimes looks lousy (especially
colors)
OpenOffice -- Seems to work
Slight testing slowly
and but effectively
research by the Trike
team
- Known NOT to work due to severe
formula incompatibility
- Support is unlikely as active
development has moved to the
standalone v2 application, but if you want
to volunteer to maintain an OpenOffice
version, contact the Trike team
Planned Features
- Comments on column headers.
- Technology stack information for components.
- Privilege construction.
- Threat generation based on privileges, including connection and component
- Attack chaining (but probably not via formulas)
Licensing
The following license applies to the Trike engine as coded into the formulas in this
spreadsheet.
Copyright (c) 2010-2012 Brenda Larcom

Permission is hereby granted, free of charge, to any person obtaining a copy of this
software and associated documentation files (the "Software"), to deal in the Software
without restriction, including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and to permit
persons to whom the Software is furnished to do so, subject to the following
conditions:

The above copyright notice and this permission notice shall be included in all copies or
substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Change Log
Spreadsheet
Version Tab
1.5.04 All

1.5.04 Actors

1.5.04 Data Model

1.5.04 Connections
1.5.04 Threats

1.5.04 Security
Objectives

1.5.04 Use Case Index

1.5.04 Use Case Details

1.5.04 Document Index

1.5.04 Help

1.5.05 Intended Actions

1.5.05 Threats

1.5.05 Security
1.5.05 Help
1.5.06 Actors
1.5.06 Protocols
1.5.07 Intended Actions
1.5.07 Document Index
1.5.07 Development
1.5.07 Connections
1.5.07 Security
Objectives
Changes
- Heavy refactoring and performance improvements for formatting and automatically
calculated cells
- Reordered tabs to put purely recordkeeping tabs (Document Index and Development
Team) after
- Stopped other modelactor
alphabetizing tabs names in drop-down menus and the intended actions grid
- Fixed some obscure formatting bugs
- Stopped alphabetizing asset and other data model names in drop-down menus and the
intended actions grid
- Fixed some obscure formatting bugs
- Fixed formatting bugs
- Fixed bugs in threat generation
- Fixed formatting bugs
- Automatic construction of sentence versions of security objectives from the table
- Changed conditional formatting of horizontal lines and yellow cells to clarify which rows
are part of each security objective
- Fixed some obscure formatting bugs
- Fixed some obscure formatting bugs
- Replaced mitigation priority with issue criticality
- Moved Terminal? column to the right of the step itself
- Added a Next Step column to allow control flow
- Added a Reviewed? column to track project status
- Answered a bunch of user questions
- Populated the list of known issues
- Added a change log and future feature plans
- Heavy refactoring and performance improvements for formatting and automatically
- Fixed bugs in threat generation surrounding anonymous actors
- More accurate threat generation for transient assets
- Repopulated Attacker dropdown menu
- Split help tab into this entirely separate help spreadsheet
- Changed formatting to request "Has" privileges for anything authenticated
- Fixed formatting bug in which newly defined protocols appeared to be encrypted
- Fixed bug in which transient assets had valid update actions rather than valid read actions
- Fixed formatting of Reviewed? column
- Fixed formatting of all columns
- Fixed formatting of Shared? column
- You can now aggregate several security objectives into a single related group for use on
the Use Case Details tab, by using a period in the # column and the same prefix before the
period. E.g. Privacy.1 and Privacy.2 would appear as a single Privacy objective on the Use
Case Details tab.
!
!
!