CompTIA CySA+ (CS0-002) — Question 156

During the threat modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into consideration. Which of the following are part of a known threat modeling method?

Answer options

• A. Threat profile, infrastructure and application vulnerabilities, security strategy and plans
• B. Purpose, objective, scope, team management, cost, roles and responsibilities
• C. Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege
• D. Human impact, adversary's motivation, adversary's resources, adversary's methods

Correct answer: C

Explanation

The correct answer, C, lists the common types of threats that are analyzed during threat modeling, known as the STRIDE model. Options A and B refer to project management and security planning aspects, which are not specific to threat modeling techniques. Option D, while related to assessing threats, focuses more on the adversary's characteristics rather than the specific threats themselves.