ABSTRACT
The purpose of this tutorial is to provide an overview of tools, techniques and processes to conduct threat modelling. Whether it's a whole organisation and specific project, the role of threat modelling is to provide clarity as far as the stakeholders risk appetite and prioritisation. This ensures that resources can be effectively applied to projects and that priority information requirements and sustainment are established.
Activities that will form part of this tutorial include: 1) Introduction to threat modelling and overview (40 minutes) 2) Teams mind map of a target environment or project (test projects will be provided) (40 minutes) 3) Unclassified Brief on established threats and threat communities incorporating active discussion amongst the participants (40 minutes) 4) Initial mapping of threats to target environments (30 minutes) 5) “Mad minute” presentations and follow on discussions about threat models presented (30 minutes and beyond)
By the end of this tutorial, attendees will have an appreciation of the threat modelling process as a framework to shape and inform their cyber security requirements.
Edward Farrell & Daniel Ting are security consultants with Mercury Information Security Services (Mercury). Having over 10 years experience in cyber security, Ed & Dan bring a detailed understanding of the threat and technology environment that grounds the industry.
BIOGRAPHY
Edward Farrell is a security consultant with over eleven years experience in information security and seventeen years experience in the IT industry. As the director of Mercury, he has conducted and overseen the delivery of over 500 independent cyber security audit activities and incident responses in the past six years. Edward Is an Army Reservist, Industry Fellow at the Australian Defence Force Academy, and an advisor to several cyber security start ups.

BIOGRAPHY
Living at the intersection of technical security, trust, customer experience, and entrepreneurship, Daniel spends his days helping organisations such as Government agencies, banks, startups and non-profits secure themselves in cyberspace both in his role as a senior consultant as well as in his spare time. In the pursuit for continued growth through collaboration, Daniel is heavily involved in co-organising the OWASP AppSec Day conference, co-leading the OWASP Melbourne Chapter, and co-organising the monthly technical security meetup SecTalks Melbourne. Daniel has also played a formative role in the development of several cyber security policies and standards.