Practical threat modelling exercises for researchers

Published: August 20, 2025

Three people stand by a glass wall covered with sticky notes and charts, reviewing and discussing the information.

Threat modelling is the practice of asking: How could someone — whether maliciously or by accident — undermine or negatively affect my research project? It helps reveal areas that require additional protection.

This article introduces three lightweight modelling approaches — ones that are fairly simple and quick to implement. These approaches — STRIDE, DREAD and attack trees — are ones that research teams can use in a single brainstorming session and return to as a shared security compass.

Why threat modelling matters in research

By practicing good threat modelling, you can close security gaps, proactively demonstrate compliance and trust — and help keep your research on schedule and on budget.

  1. Protect participants, data and intellectual property

    Spotting how confidential and sensitive data or unpublished manuscripts could leak or be altered allows you to close those gaps before they impact your work.

  2. Demonstrate proactive security and compliance

    By linking potential threats to mitigation strategies, you show funders, data providers and collaborators that your team takes cyber security seriously — reinforcing trust and potentially improving grant competitiveness.

  3. Avoid costly setbacks

    Addressing risks early helps prevent breach-related delays, audits or cleanup — keeping your research on schedule and on budget.

STRIDE: A high-level security sweep

Developed by Microsoft in the 1990s, STRIDE is a six-part mnemonic that helps identify potential threats to your research systems and workflows.

Threat domain What it means Example
Spoofing identity Pretending to be someone or something else A malicious actor reuses stolen secure shell keys to access research systems
Tampering with data Secretly altering data or code Edits to analysis scripts affect research outcomes
Repudiation Denying an action or erasing the record of it A user deletes logs to hide unauthorized file downloads
Information disclosure Unintentionally exposing sensitive information A public cloud folder contains human subject data
Denial of service Overloading a system until it fails A lab’s portal crashes due to fake job submissions
Elevation of privilege Gaining access beyond what is allowed Misconfigured settings let a user change server configurations

  1. Diagram

    Sketch your research ecosystem. Include data flows, analysis tools, storage and intake processes.

  2. Map

    Ask which STRIDE threats apply to each component.

  3. Brainstorm

    Identify specific risks. For example, if a lab member's credentials are spoofed, could someone access sensitive datasets?

STRIDE: A high-level security sweep

Developed by Microsoft in the 1990s, STRIDE is a six-part mnemonic that helps identify potential threats to your research systems and workflows.

Threat domain What it means Example
Spoofing identity Pretending to be someone or something else A malicious actor reuses stolen secure shell keys to access research systems
Tampering with data Secretly altering data or code Edits to analysis scripts affect research outcomes
Repudiation Denying an action or erasing the record of it A user deletes logs to hide unauthorized file downloads
Information disclosure Unintentionally exposing sensitive information A public cloud folder contains human subject data
Denial of service Overloading a system until it fails A lab’s portal crashes due to fake job submissions
Elevation of privilege Gaining access beyond what is allowed Misconfigured settings let a user change server configurations

  1. Diagram

    Sketch your research ecosystem. Include data flows, analysis tools, storage and intake processes.

  2. Map

    Ask which STRIDE threats apply to each component.

  3. Brainstorm

    Identify specific risks. For example, if a lab member's credentials are spoofed, could someone access sensitive datasets?

Attack trees: Visualizing how attacks unfold

Attack trees break down an attacker's goal into sub-goals and concrete steps. This helps clarify how top threats could be executed and where defences are most needed.

  1. Pick a goal (root of the tree)

    What does the attacker want (e.g., access unpublished data)?

  2. Identify paths (branches)

    What steps could get them there? Use "or" for alternatives, "and" for sequences.

  3. Detail actions (leaves)

    What specific tactics would the attacker use (e.g., phishing, exploiting a vulnerability)?

  4. Spot the easiest route

    Look for the most direct or likely path to the root.

Coming soon.

Sample one-hour brainstorming session

Time Activity Outcome
0–20 min STRIDE sweep Top threats identified using six security questions
20–40 min DREAD scoring Prioritized list of threats to address
40–60 min Attack tree Visual map of how key threats might be executed

From insight to action

Threat modelling isn't one-and-done — it's a continuous process of improving resilience. The good news? The hardest part (identifying risks) is already done. Here's what to do next:

Think of solutions across people, process and technology.

People solutions
  • Have all team members complete Security awareness training
  • Have the principal investigator approve role-based access
  • Designate a security champion
Process solutions
Technology solutions

Grant proposals

Include security plans in the data management sections of your proposals.

Workflow changes

Document risks and safeguards when updating data pipelines.

Onboarding

Add cyber security setup and orientation to new team member checklists.

Account and device setup
  • Assist with UTORMFA enrolment when onboarding new team members.
  • Confirm full-disk encryption is enabled on their device.
  • Ensure SentinelOne or another endpoint protection solution is installed.
  • Issue accounts and logins based on least-privilege principles, so team members can only access what they need.
Orientation
  • Review data handling procedures, including how data should be processed, stored, named and backed up.
  • Demonstrate how security is built into the team's research projects.
Training
  • Enrol new team members in the university's Security Awareness and Training platform.
  • Provide training relevant to their role and the sensitivity of the data they handle.
Policy review
  • Review any team agreements or standard operating procedures related to security.
  • Go over any protocols or contractual obligations the research team must follow.
  • Review the team's incident response plan.

Revisit threat modelling after major milestones:

  • Confirm resolved or accepted risks
  • Re-run STRIDE for new systems
  • Re-score DREAD as systems change
  • Update attack trees as threats evolve

This lightweight cycle makes ongoing security achievable and sustainable.

Need support?

Teams can run these exercises independently, but help is available. The Research Information Security Program offers consulting, training and facilitated workshops. Contact your unit IT staff or divisional security lead for support.

Related articles

Guidance on international travel for university activities

July 14, 2025
A woman carefully reviews a potentially fraudulent message on her mobile phone.

Phishing 101: How to identify and report a phishing attempt

July 14, 2025
A traveller using her mobile device at the airport.

Safeguarding your data while travelling

April 25, 2025