Requirements and risk management
System model
Security objectives
Risk assessment
Threats: attacker model
Attack patterns: CAPEC, MAEC, ...
Threat modeling: STRIDE-LM, LINDDUN, DREAD, ...
Threat intelligence: Pyramid of pain, Lockheed Martin Kill chain, Diamond, ATT&CK (incl ICS), CAR, CAPEC, CWE, CVE, OWASP, ...
Mitigations: Defense model
Security controls
Security and data protection by design
Incident response
Compliance and governance
Frameworks: ISO 27K, COBIT, COBIT Risk, COBIT Information Security, NIST SP 800.53, NIST CSF, CMMI, CIS, PCI DSS, ...
Legal: GDPR, LED, NIS, EIDAS, E-privacy, EU cybersecurity act, PSD2, PNR, ...
Security organisation and conclusions
Case study
Threat identification (information security and data protection)
Threat risk assessment
Controls