Facilitating Cyber Security Threat Modelling: A Social Capital Perspective


  • Johanna Orjatsalo LUT University




social capital, knowledge creation, cyber security, workshop, threat modelling


To identify and manage their cyber security risks, organisations need to form a thorough understanding of various factors that may expose them to these risks. While cyber security professionals and scholars have developed a plethora of practical methodologies and frameworks to support cyber security risk identification and mitigation, the theoretical foundations on what promotes effective knowledge creation when using these methodologies and frameworks are nascent. Yet, theories developed in the field of knowledge management and intellectual capital may provide valuable insight on how to enhance cyber security risk related knowledge creation in organisations. For example, social capital is considered as an important prerequisite for knowledge exchange and combination when creating new intellectual capital (Nahapiet & Ghoshal, 1998). However, more focused research is required to understand how social capital affects knowledge creation in the context of organisational cyber security risk related activities.


Using qualitative data gathered from three cyber security threat modelling workshops, this paper examines how social capital enables conditions for exchanging and combining knowledge on cyber security threats. By comparing the empirical observations with Nahapiet and Ghoshal’s (1998) model, this study identifies practical approaches that are used by threat modelling workshop facilitators to create conditions for effective knowledge exchange and combination. This study provides both cyber security scholars and professionals with an example on how to use knowledge creation related academic theories to analyse and further enhance cyber security risk management approaches by creating a connection between Nahapiet and Ghoshal’s (1998) social capital model and cyber security threat modelling.