crisc-d2-risk-assessment-risk-events-threat-modeling-and-threat-landscape

Risk Events, Threat Modeling, and Threat Landscape

isaca-crisc · framework · Gold standard

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Risk Events, Threat Modeling, and Threat Landscape

Threat modeling and threat landscape analysis is a structured analytical process within ISACA CRISC's IT Risk Assessment domain that identifies, categorizes, and connects three elements: (1) threat actors — who could harm the organization; (2) threat events — how harm could materialize; and (3) the threat landscape — the current and emerging environment of adversarial capability and intent. Together, these inputs allow a risk practitioner to map which credible threats could exploit which vulnerabilities to trigger specific risk events that impair business objectives. Unlike vulnerability scanning — which asks 'what is weak?' — threat modeling asks 'who would attack us, how, and what would the business consequence be?' It is the upstream analytical step that feeds risk scenario development, business impact analysis, and control prioritization.

Where it stops · what it isn't

—IS: A business-aligned process for identifying credible threats and the risk events they could trigger — scoped to organizational objectives and assets
—IS: A structured methodology (STRIDE, PASTA, MITRE ATT&CK, Attack Trees) applied to specific asset and process contexts
—IS: A living assessment that must be updated as the threat landscape evolves — not a one-time annual exercise
—IS NOT: Vulnerability scanning or penetration testing — those identify technical weaknesses, not threat actors or business risk events
—IS NOT: A generic list of all possible threats — it must be scoped to the assets, industry, and adversary profiles relevant to the organization
—IS NOT: Identical to risk scenario development — threat modeling identifies what threats exist; risk scenario development builds the specific sequence of events, likelihood, and impact (a downstream step)
—IS NOT: Purely a technical security exercise — CRISC threat modeling must be business-aligned, identifying threats to strategic and operational objectives, not just exploitable CVEs

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

ENABLES

Risk Scenario DevelopmentBusiness Impact AnalysisRisk Analysis Methodologies

REQUIRES

Vulnerability and Control Deficiency AnalysisThreat Intelligence Feeds (CISA KEV, MITRE ATT&CK, commercial)

PART OF

CRISC IT Risk Assessment Domain

RELATED TO

Risk Appetite and Tolerance Definition

CONSTRAINS

Security Control Prioritization and Investment

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.