Effective CISSP Questions

Which of the following is the best initiative that contributes to threat modeling the most?
A. Social engineering
B. Phishing
C. Security champions
D. Gamification

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Security champions.

“Security champion” plays an important role mentioned in SAMM. Security champions who contribute to threat modeling and organizational security culture should be well trained. Gamification is a strategy or a set of techniques to engage people that can be applied in various settings, of course, in education and training.

“Security Champions are the active members of a team. This team makes decisions regarding when a security team should be engaged and what security bugs are present in the applications.” (OWASP)

Activity Streams of SAMM Practices

  • Training and Awareness: Training and awareness focuses on increasing the overall knowledge around software security among the different stakeholders within the organization. Activities include 1) Train all stakeholders for awareness, 2) Customize security training, and 3) Standardize security guidance.
  • Organization and Culture: Organization and culture focuses on promoting the culture of application security within the organization as an important success factor of an SDLC project. Activities include 1) Identify security champions, 2) Implement centers of excellence, and 3) Establish a security community.
  • Application Risk Profile: An application risk profile helps to identify which applications can pose a serious threat to the organization if they were attacked or breached. Activities include 1) Perform application risk assessments, 2) Inventorize risk profiles, and 3) Periodic review of risk profiles.
  • Threat Modeling: Threat modeling is intended to help software development teams understand what risks exist in what is being built, what could go wrong, and how we the risks can be mitigated or remediated. Activities include 1) Perform basic threat modeling, 2) Standardize and scale threat modeling, and 3) Optimize threat modeling.

Identify security champions

Benefit: Basic embedding of security in the development organization

Implement a program where each software development team has a member considered a “Security Champion” who is the liaison between Information Security and developers. Depending on the size and structure of the team the “Security Champion” may be a software developer, tester, or a product manager.

The “Security Champion” has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. “Security Champions” have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support “Security Champions” for cultural reasons.

The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, “Security Champions” assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural
Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface.

In addition to assisting Information Security, “Security Champions” provide periodic reviews of all security related issues for the project team so everyone is aware of the problems and any current and future remediation efforts. These reviews are leveraged to help brainstorm solutions to more complex problems by engaging the entire development team.

Customize security training

Benefit: Relevant employee roles trained according to their specific role

Security Champions train on security topics from various phases of the SDLC. They receive the same training as developers and testers, but also understand threat modeling and secure design, as well as security tools and technologies that can be integrated into the build environment.

Perform basic threat modeling

Benefit: Identification of architectural design flaws in your applications

Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment.

Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system.

Standardize and scale threat modeling

Benefit: Clear expectations of the quality of threat modeling activities

Use a standardized threat modeling methodology for your organization and align this on your application risk levels. Think about ways to support the scaling of threat modeling throughout the organization.

Train your architects, security champions, and other stakeholders on how to do practical threat modeling. Threat modeling requires understanding, clear playbooks and templates, organization-specific examples, and experience, which is hard to automate.

Your threat modeling methodology includes at least diagramming, threat identification, design flaw mitigations, and how to validate your threat model artifacts. Your threat model diagram allows a detailed understanding of the environment and the mechanics of the application. You discover threats to your application with checklists, such as STRIDE or more organization-specific threats. For identified design flaws (ranked according to risk for your organization), you add mitigating controls to support stakeholders in dealing with particular threats. Define what triggers updating a threat model, for example, a technology change or deployment of an application in a new environment.

Feed the output of threat modeling to the defect management process for adequate follow-up. Capture the threat modeling artifacts with tools that are used by your application teams.

Source: OWASP SAMM v2.0 – Core Model Document


Gamification is the application of game-design elements and game principles in non-game contexts. It can also be defined as a set of activities and processes to solve problems by using or applying the characteristics of game elements. Gamification commonly employs game design elements to improve user engagement, organizational productivity, flow, learning, crowdsourcing, knowledge retention, employee recruitment and evaluation, ease of use, usefulness of systems, physical exercise, traffic violations, voter apathy, and more.

  • Early gamification strategies use rewards for players who accomplish desired tasks or competition to engage players. Types of rewards include points, achievement badges or levels, the filling of a progress bar, or providing the user with virtual currency
  • Another approach to gamification is to make existing tasks feel more like games. Some techniques used in this approach include adding meaningful choice, onboarding with a tutorial, increasing challenge, and adding narrative.

Source: Wikipedia




My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.




The Effective CISSP - SRM

The Effective CISSP: Practice Questions

The Effective CISSP: Practice Questions

A. 社會工程
B. 網絡釣魚
C. 安全冠軍
D. 遊戲化


Leave a Reply