15-10-2025 Meeting Minutes #20
Description
Recording and transcript for yesterday's meeting: https://zoom.us/rec/share/SAXI5iGwIQkJgMt632RFMFs8b0nuB1VFITsS_Ig3vaC2IHETJymtIkRxRfzdmiNM.N4hHxZtBiiM1Rxe4
Key decisions/outcomes from call:
- Joseph and Christopher to threat model clinician scribe
- Cara and Robert to threat model chatbot
- Matt to continue with AI Code Generator threat model
- Form teams to threat model a use case (useful guide here)
- Work in your teams to decompose your use case into a list of assets to inform you which ones pose the greatest risk if compromised.
- Identify threats (use STRIDE framework unless it really doesn’t fit) and controls. It’s useful to write threats in the following style:
- “User A does B to C which results in D”
- E.g.: “Attacker (‘the who’) tampers (‘malicious action’) with REST service parameters (‘technical component’) to view (‘the reason’) unauthorised customer data (‘the resource’)”
- Use the Code Generator example from our GitHub repo
We’ll then review these as a group next week and continue into risk identification and quantification.