InterviewStack.io LogoInterviewStack.io

Threat Modeling and Risk Assessment Questions

Systematic identification and evaluation of threats, vulnerabilities, assets, and attack surfaces to determine likelihood and business impact and to drive prioritized security controls. This topic covers threat modeling techniques and structured methodologies such as STRIDE, PASTA, and attack trees, enumeration of threat actors and attack vectors, scenario based attack simulation, and attack surface analysis. Candidates should be able to quantify risk using likelihood and impact, risk matrices, and concepts such as risk velocity, and explain how to integrate threat intelligence into probability assessments. The topic includes translating threat models into prioritized mitigations, detection and monitoring requirements, and security architecture or design trade offs that balance security with business objectives and operational constraints. At larger scale it covers enterprise risk assessment practices, alignment with risk management frameworks such as NIST and ISO 31000, integration with vulnerability assessment and vulnerability management programs, risk quantification, and effective communication of risk and remediation priorities to technical teams and executive stakeholders.

MediumTechnical
69 practiced
Propose a process to integrate automated vulnerability scan results (software composition analysis, SAST, network scans) into your organization's risk scoring pipeline. Cover deduplication, false-positive suppression, asset context enrichment, correlation with threat intelligence, and feedback loops into patching and SLA management.
EasyTechnical
104 practiced
List and classify likely threat actors for a mid-size e-commerce company (examples: script kiddies, financially motivated cybercriminals, nation-state, insiders, competitors). For each actor specify probable motivations, typical TTPs, and high-level indicators you would look for in logs or telemetry to detect their activity.
HardTechnical
57 practiced
You are evaluating two design choices for an internal file-sharing platform: option A uses strict compartmentalization with strong encryption and multi-factor authentication but increases latency and restricts collaboration; option B relaxes access controls but adds extensive monitoring and logging to preserve productivity. Using threat-model outputs, quantify trade-offs between residual risk reduction, user productivity (measurable KPIs), operational cost, and propose a decision framework to choose between A and B.
HardTechnical
72 practiced
Design an approach to automatically generate and score attack trees for common web application goals such as data exfiltration, using static architecture metadata, vulnerability feeds, and threat intelligence. Describe the graph model, algorithms for path enumeration and shortest/cheapest-path identification, scoring heuristics for nodes and edges (ease, likelihood, impact), data storage model, and how results should be presented to engineers for mitigation prioritization.
HardTechnical
74 practiced
For a security organization adopting PASTA across many applications, define a maturity model and KPIs to measure process adoption and effectiveness. For each PASTA stage suggest measurable indicators, how to collect the data, and how to link observed maturity improvements to reduced incident rates or other risk metrics.

Unlock Full Question Bank

Get access to hundreds of Threat Modeling and Risk Assessment interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.