Information Security Threat Modeling is one of those arcane sub-disciplines of which it is easy to find just as many practitioners who are convinced that it should offer real benefits, as it is to find practitioners who believe that "it is never going to work".

The same can be said for academic interest in threat modeling. 

Conceptual modeling is a research field that has been around for a long time. As a research conference, the ER conference has been been established in the late 1970's and, 30+ years later, it is still going. The information security research discipline is about as old. Conceivably one of the earliest comprehensive bodies of work is contained in the Orange Book (1983).

So: how is it then that most approaches to threat modeling really haven't changed all that much and that most evidence of successful use of threat modeling techniques only exists in anecdotal form? Who is using threat modeling as a foundational element of their infosec strategy? What is the state of the art in research? Can we find case studies and determine how effective the models have been?

Let's get the conversation started!