There is no scientific approach to a threat model. One can define their own threat model, which will broadly look at two contexts. One is the security controls that have been implemented while staying in line with the requirements and policy, and the other is the potential attacks that might affect an asset in a threat model.
In general, there are three approaches to a threat model:
Software-centric: This approach is also known as architecture-centric, system-centric or design-centric. It always starts from the design of the system and involves the complete data flow diagrams (DFDs), including the elements and different components, and it looks for different types of attacks against each of them.
Asset-centric: The asset-centric approach involves assets that hold the responsibility of any sensitive information, such as health data, financial data, and so on. In order to prioritize, the risk assets are classified according to their data sensitivity (What are your...