CompTIA SecurityX (CAS-005) — Question 258

A company wants to perform threat modeling on an internally developed, business-critical application. The Chief Information Security Officer (CISO) is most concerned that the application should maintain 99.999% availability and authorized users should only be able to gain access to data they are explicitly authorized to view. Which of the following threat-modeling frameworks directly addresses the CISO’s concerns about this system?

Answer options

• A. CAPEC
• B. STRIDE
• C. ATT&CK
• D. TAXII

Correct answer: B

Explanation

The STRIDE framework is specifically designed to address security concerns such as availability and authorization, making it the right choice for the CISO’s requirements. CAPEC focuses on attack patterns, ATT&CK is oriented towards threat actors and techniques, and TAXII is a protocol for sharing threat intelligence, none of which directly address the specific concerns about availability and user access.