Is anyone using threat modeling as a means of continuous architecture? Meaning, you have a threat mode for the entire organization and you periodically review it to ensure your current architecture is capable of handling emerging and changing threats.
I’m an IT risk manager of a small bank. I have a risk log which is in part based on threats for most of the security risks. It’s updated yearly through a risk and control self assessment (although I do more work on the “self” assessment than IT does) or when major changes happen.
I think this is what most people do but as I mentioned on another comment, it was suggested to me to do threat models instead or as an addition (I forgot which way the person pitched it to me). So naturally, I was curious to see if anyone else actually did that as it seems like this would be a significant effort.