What are we going to do about it?
The STRIDE analysis we just carried out has provided us with a list of threats we need to address. Remember that there will undoubtedly be others that haven’t occurred to us, so never consider your list complete. Also, remember that a threat isn’t the same as a risk – and that the probability of a threat being exploited is not the same as the expectation that it will occur.
Fundamentally, there are four ways of dealing with a threat. We can do the following:
- Transfer
- Eliminate
- Accept
- Mitigate
Let’s now understand the implications of each approach for our Mathaholics project, starting with transferring threats.
Transferring threat risks
If we choose to outsource our Moodle hosting to a third party – a Moodle partner, for instance – then we are, essentially, hoping to transfer the threat risk to them. However, as described in Chapter 1, although third parties might be happy...