Software Engineering, Project Management, and Effectiveness
I see a lot of confusion over terms when it comes to threat modeling. The terms matter because they shape focus. For example if you confuse threats with attacks, you've limited what you're looking for.
There are the terms we used when we created our How To Threat Model Web Applications:
Rather than get caught up in the definitions, you can focus on intent:
An example putting this all together would be, my asset is my customer information. My application faces the threat of injection attacks. My application's lack of input validation is a vulnerability. SQL Injection and Cross-site scripting would be attacks. Countermeasures would be validating input and keeping user input out of the control channel.
There's a couple of interesting points here:
What's important in all this is that your security objectives are the ultimate scoping tool and that by understanding the relationships between the terms, you produce more effective results when you threat model.
Threat Modeling is a way to identify potential security issues to help you shape your application's security