“Highlighting and note taking — your secret resource for the exam and THE best way to maintain subject matter retention.” – Luke Ahmed

Today is Day 32 of Yihenew’s CISSP study plan, focusing on Threat Modeling — the art of predicting, identifying, and reducing potential threats before they happen.

Threat modeling is where technical knowledge meets foresight. You’re not reacting to incidents — you’re designing systems with security built in from the start.

Key Areas Covered in This CISSP Study Plan

• Purpose of Threat Modeling — To identify, classify, and prioritize potential threats and vulnerabilities to assets, based on their value and likelihood of attack.

• When to Perform It — During the design phase of a project or system, before deployment. It’s proactive, not reactive.

• Common Methodologies:

  • STRIDE – Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege

  • PASTA – Process for Attack Simulation and Threat Analysis

  • DREAD – Damage potential, Reproducibility, Exploitability, Affected users, Discoverability

• Outcome — A structured list of potential threats and mitigation plans that directly guide security design and control selection.

CISSP Exam Tie-In

Threat modeling often appears in CISSP scenario questions asking when to apply it and why. Remember:

• It’s a proactive step, not part of incident response.

• It aligns with risk management — identifying, prioritizing, and mitigating before damage occurs.

• CISSP expects you to connect threat modeling to business objectives and system design.

Quick CISSP Practice Question

At what point in the software development life cycle (SDLC) should threat modeling be performed to be most effective?

A. During coding and implementation

B. After system deployment

C. During the design phase

D. During maintenance and patching

✅ Correct Answer: C. During the design phase

Explanation:Threat modeling is proactive. It ensures that potential threats are identified before any code is written or systems are deployed. Performing it early reduces cost and complexity of mitigation later.

Think Like a Manager:Don’t wait for an incident — anticipate it. That’s what separates a technical responder from a CISSP risk manager.

Check out Yani's TikTok or see Day 31 or Day 33.

👉 Can you take the Yani Challenge?

55 days of consistent CISSP prep, tackling one domain at a time, using only the resources below:

Course

Luke's CISSP Course (2 months access, $89.98)

One-to-one Zoom sessions with Luke Ahmed (2 weeks before exam)

Books, Notes, and Practice Questions

All-In-One Study Guide by Shon Harris (Around $45)

Sybex 10th Edition (Around $52.55)

Official CISSP Practice Tests, 4th Edition by Mike Chapple & David Seidl (Around $35)

How To Think Like A Manager for the CISSP Exam ($29.99)

Total Cost: approxiamately $250 depending on your geographic location. Yani is located in East Africa.

📚 Study Plan (55 Days of Dedication):

- Weekdays: 2–3 hours of focused study—late nights and early mornings (5 AM).

- Weekends: 5–6 hours of deep study sessions.

Pass CISSP in first attempt within 100 questions.

Yani's biggest expense was his time, committment, consistency, and dedication! It was worth it because he passed first attempt in 100 questions using the above resources only.

If Yihenew could do it, so can you.

All the best Future CISSP. You can feel free to contact me anytime as well.

Thank you.

Luke Ahmed