關鍵詞:資訊安全、威脅模型、專案管理、通用弱點評鑑系統 ;The importance of information security has been rising rapidly in recent years, making information security almost equivalent to national security. The overall output value of information security industry has also grown substantially. The continuous development of Internet of Things, Artificial Intelligence, and Industry 4.0 has also promoted the diversified combinations of the information industry and network ecology, but it has also planted more unknown and potential risks for the threats to information security. In the past, research on information security mostly focused on software applications or network-related issues. Many information protection technologies are also concentrated on these issues. A careful study of several research theories can reveal that behind these protections are largely external protections, but rare are provided by the products or services themselves. Later, extended security development life cycle led by Microsoft emphasizes that the essence of security should come from the software itself. This also enlightens this research whether such a theory could be introduced into hardware design. Security issues should not be limited to just software but also be implemented within product hardware so as to enhance the overall security level of the product when using. This thesis combined Threat Modeling in Security Development Life Cycle and the Risk Management theory in Project Management, and introduced them into the product development process, with Common Vulnerability Scoring System (CVSS) as the reference for assessing project risk. Applying this threat modeling in the project development process successfully identified 34 threats in the early phases of project development. Identifying these threats and organizing their solutions accordingly can help project teams prioritize following up actions and evaluate their effectiveness. Utilizing STRIDE classification principle in the threat modeling to classify the threats with risk assessments and provide corresponding solutions and mitigation plans help resolve the important practical information security problem with academic theories and concepts.
Keywords: Information Security, Threat Modeling, Project Management, CVSS
