12. Evaluate a threat model (AC 2.3)

Evaluating the PASTA threat model

The good thing about PASTA is that it's business focused, unlike STRIDE or LINDDUN, where it's more focused on the technical side of things. With PASTA you can integrate business goals right into the threat analysis process. This ensures that security measures are relevant and effective. The seven steps involved in PASTA provide a clear plan for dealing with threats. With attack trees and threat intelligence to predict real world scenarios, makes this threat model very thorough and forward thinking.

PASTA can be very overwhelming for smaller organisations or teams with limited resources. Because of its thorough approach, it requires a lot of time, effort, knowledge or specialised tools. With PASTA focusing on risks regarding business side of things, it can downplay some technical vulnerabilities if they don't affect business directly.

PASTA looks at more things than STRIDE, which mainly focuses on technical issues like tampering or DoS. Because of that, STRIDE is simpler to use. LINDUN is more focused on privacy specific threats, making it more useful in places where privacy is the highest priority - like healthcare. CVSS is about scoring known vulnerabilities, and PASTA is more about predicting potential attacks, making it proactive.