Quiz Entry - updated: 2026.07.14
What are the pitfalls of model complexity in threat modeling?
Too simple and the model just echoes your assumptions; too complex and it's unanalysable and gets rubber-stamped — aim for "represents reality" in between.
A threat model only teaches you something in a narrow band of fidelity: push it too far in either direction and it stops surfacing new knowledge, so the whole point is to keep it honest and just complex enough to mirror the real system.
Be honest with the process:
- Make sure the model represents reality
- Consider all types of threats
Use appropriate complexity:
| Problem | Result |
|---|---|
| Overly-simplified | Departs from reality; you get only what you put in - no new knowledge |
| Overly-complicated | Too much to analyze; leads to "check it off the list" syndrome |
Test your model: Think of a specific security concern, then see where it fits in your threat model. If it doesn't fit anywhere, your model is incomplete.