Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a real-world case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.

翻译：摘要：威胁建模已成为理解企业相关威胁的关键流程。然而，对威胁事件重要性的理解很少由系统所嵌入的业务驱动。此外，威胁事件的优先级排序通常基于抽象的定性评分。尽管这类评分能够实现优先级划分，但其结果难以被决策者直观解读，这会阻碍后续活动，例如安全投资讨论及安全控制的经济适用性评估。本文提出QuantTM方法，该方法整合了运营层与战略层业务代表的视角，在威胁建模过程中收集威胁信息，以量化特定威胁事件可能造成的财务损失。该方法支持对威胁影响及安全控制适用性的分析，从而从经济视角助力威胁分析与优先级排序。QuantTM包含一个用于数据收集与聚合的总体流程，以及一个业务影响分析方法。通过在一家瑞士中小企业开展的真实案例研究，验证了QuantTM方法的性能与可行性，并分析了威胁影响及安全控制的经济效益。其次，研究表明业务影响分析具有可行性，且配套原型系统展现出良好的可用性。