Stage III: Application Decomposition and Analysis (ADA)

                    Stage IV: Threat Analysis (TA)


                    Stage V: Weakness and Vulnerability Analysis (WVA)
                    Stage VI: Attack Modeling & Simulation (AMS)


                    Stage VII: Risk Analysis & Management (RAM)

               Each stage of PASTA has a specific list of objectives to achieve and
               deliverables to produce in order to complete the stage. For more
               information on PASTA, please see the book Risk Centric Threat
               Modeling: Process for Attack Simulation and Threat Analysis, first
               edition, by Tony UcedaVelez and Marco M. Morana. (You can view the

               appendix of this book online where PASTA is explored at
               http://www.isaca.org/chapters5/Ireland/Documents/2013%20Presentations/PASTA%20Methodology%20Appendix%20-
               %20November%202013.pdf.)

               Trike is another threat modeling methodology that focuses on a risk-
               based approach instead of depending upon the aggregated threat
               model used in STRIDE and Disaster, Reproducibility, Exploitability,
               Affected Users, and Discoverability (DREAD) (see the “Prioritization

               and Response” section later in this chapter). Trike provides a method
               of performing a security audit in a reliable and repeatable procedure.
               It also provides a consistent framework for communication and
               collaboration among security workers. Trike is used to craft an
               assessment of an acceptable level of risk for each class of asset that is
               then used to determine appropriate risk response actions.