Somewhat very akin to the conventional "use case" structure that many are familar with, and borrowing the power of a conversational narrative from Agile methods, and sundry psychology systems, Daniel Miessler posits a threat model framework which he says is a target for for policy makers, but I say it's a target for any PMO working in software services. You can read it here.
In his framework, Miessler has these components:
- The ACTOR, which can be an individual, an enterprise, or a system
- The TECHNIQUE, which is the method or process, like hacking, will cause harm.
- The HARM, which is the functional outcome of the harm, like 'misinformation'.
- The IMPACT, which is what happens when the 'harm' reaches its target. One example might be financial loss.
As PMs we're familair with frameworks and how to apply them. Miessler writes that the objective of his framework is to talk about the AI threat in a converational way that will draw in policymakers. He says this:
What I propose here is that we find a way to speak about these problems in a clear, conversational way.Threat Modeling is a great way to do this. It’s a way of taking many different attacks, and possibilities, and possible negative outcomes, and turning them into clear language that people understand.
Like this blog? You'll like my books also! Buy them at any online book retailer!
