The importance of accurate notes during threat model meetings.
The criticality of accurate notes is obvious: When threat modeling experts are analyzing threats, they need quick access to topics discussed in a meeting. The organic flow of a threat modeling interview is often not the same order in which trust boundaries are discussed so structuring this information proves a significant enabler for efficiency and completeness.
Notes can also help you track your progress and identify any gaps in your analysis, ensuring that all potential threats are considered and addressed.
Challenges of note-taking when you are not a subject-matter expert.
As a junior member of a cybersecurity team, one of your tasks is note-taking during diagramming- and STRIDE meetings while the threat modeling experts interview the stakeholders. However, as a junior in the field, there are a lot of new technologies to learn, which may not be familiar to you. This makes note-taking as a junior team member a double-edged sword: you learn about many technologies while helping raise the quality of the threat model, however, you also don’t know enough about the topic (yet) to know what details exactly are important to note down…
At Toreon, we have adapted our note-taking process to enable junior employees to learn while at the same time creating meeting notes that are the most helpful to the threat modeling experts.
Tips for effective note-taking by junior consultants during a threat model assessment
1. Record all interviews
When using conferencing software like Teams or Google Meet, recording interviews with stakeholders and customers is a built-in feature. Having an auto-generated transcript is not always feasible, however.
- The topics discussed during a meeting are often highly confidential, so using a third party to perform speech-to-text analysis might not be desireable
- Meetings may not be conducted in English, in which case automated transcripts are unavailable or of very low quality. Even if participants do speak English, foreign accents are often misunderstood, again hampering the quality of the output.
2. Use Excel for note-taking
Yes, you read that right. Excel has a lesser-known feature that unintentionally makes note-taking alongside video recording very efficient.
This is achieved by automatically inserting the “now” timestamps with a shortcut key combination:
On windows, press Ctrl + Shift + ;
On MacOS, press Command + ;
A very straightforward Excel template allows you to calculate the relative timestamps from the start of the recording:
- In Column A, the note taker enters the absolute timestamps (auto-entered with the above key-combination). The first entry in that row is the start of the meeting and serves as the “00:00” reference point for the video timestamp.
- Column B holds the topic that was changed to, key words that are important.
- Column C is reserved for additional notes from the threat modeling expert
- Column D auto-calculates the video timestamp for later reference, based on the starting time of the video (Cell A2 in the below example) minus the absolute timestamp in column A.
3. Threat modeling expert revises the notes directly after the meeting.
This is one of the reasons why at Toreon, we tend to reserve an entire day for an interview where a morning slot serves to hold the actual interview. The afternoon is then reserved for the threat modeling expert to re-watch the meeting recording, with the interview still fresh in their memory. While play/pause ’ing through the recording, they use column C to enrich the notes with attention points, questions for clarifications to ask next time, etc.
Additional benefits to this method of note-taking:
All relevant information is thoroughly documented.
Threat modeling experts:
- Can listen and ask questions with their full attention and focus on establishing the data flow diagram as the conversation commences.
- Can as the note taker for a note-to-self at a specific point in time, to be processed in the afternoon.
- Achieve a deeper comprehension of the subject, because the meeting is essentially “attended” twice on the same day.
- Can be leveraged more effectively in the note-taking process.
- Are able to research into topics still unfamiliar to them by rewatching the recording and pausing or rewinding when necessary.
- Can be given more context to their independent research assignments for parts of the threat model.
Colleagues who didn’t attend the meeting can be brought up to speed very efficiently when necessary. They can simply read through the notes and consult the video if they need more context.