{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T05:47:54Z","timestamp":1767332874915,"version":"3.48.0"},"reference-count":82,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"School of Professional Studies, UNSW, Canberra ACT"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/access.2025.3647760","type":"journal-article","created":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T18:31:48Z","timestamp":1766514708000},"page":"217316-217348","source":"Crossref","is-referenced-by-count":0,"title":["ISADM: An Integrated STRIDE, ATT&CK, and D3FEND Model for Threat Modeling Against Real-World Adversaries"],"prefix":"10.1109","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8008-8203","authenticated-orcid":false,"given":"Khondokar Fida","family":"Hasan","sequence":"first","affiliation":[{"name":"University of New South Wales (UNSW), Canberra, ACT, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-6547-9126","authenticated-orcid":false,"given":"Hasibul Hossain","family":"Shajeeb","sequence":"additional","affiliation":[{"name":"Bangladesh University of Business and Technology (BUBT), Dhaka, Bangladesh"}]},{"given":"Chathura","family":"Abeydeera","sequence":"additional","affiliation":[{"name":"Anchoram’s Cyber Security Practice, Melbourne, VIC, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0440-5032","authenticated-orcid":false,"given":"Benjamin","family":"Turnbull","sequence":"additional","affiliation":[{"name":"University of New South Wales (UNSW), Canberra, ACT, Australia"}]},{"given":"Matthew","family":"Warren","sequence":"additional","affiliation":[{"name":"RMIT University, Melbourne, VIC, Australia"}]}],"member":"263","reference":[{"article-title":"Cyber threat modeling: Survey, assessment, and representative framework","year":"2018","author":"Bodeau","key":"ref1"},{"article-title":"A process for threat modeling of large-scale computer systems: A case study","year":"2020","author":"Rantzien","key":"ref2"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.3390\/sym14030549"},{"article-title":"Threat modeling for cyberphysical system-of-systems: Methods evaluation","year":"2018","author":"Shevchenko","key":"ref4"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2025.104777"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-013-0195-2"},{"volume-title":"Microsoft Threat Modeling Tool Overview\u2013Azure","year":"2024","key":"ref7"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3687300"},{"volume-title":"Mitre Att&ck Matrix for Enterprise","year":"2024","key":"ref9"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1080\/19393555.2022.2104766"},{"article-title":"System-of-systems threat model","year":"2018","author":"Bodeau","key":"ref11"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1007\/s10270-021-00898-7"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SmartCloud49737.2020.00035"},{"volume-title":"Threat Modeling With Att&ck","year":"2024","key":"ref14"},{"article-title":"An evaluation framework for network IDS\/IPS datasets: Leveraging MITRE ATT&CK and industry relevance metrics","year":"2025","author":"Rahman","key":"ref15"},{"journal-title":"Stride Threat Modeling With Mitre Att&ck Mapping for Devsecops and Appsec","year":"2024","author":"Rebutlan","key":"ref16"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2023.122697"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.30574\/ijsra.2024.11.1.0284"},{"key":"ref19","article-title":"Advanced security threat modelling for blockchain-based FinTech applications","author":"Bahar","year":"2023","journal-title":"arXiv:2304.06725"},{"volume-title":"Measuring and Managing Information Risk: A FAIR Approach","year":"2014","author":"Freund","key":"ref20"},{"journal-title":"A Complete Guide to the Common Vulnerability Scoring System Version 2.0","year":"2007","author":"Mell","key":"ref21"},{"volume-title":"Common Vulnerability Scoring System V3.1: Specification Document","year":"2019","key":"ref22"},{"volume-title":"Information Security, Cybersecurity and Privacy Protection\u2014Evaluation Criteria for it Security\u2014Part 1: Introduction and General Model","year":"2022","key":"ref23"},{"key":"ref24","first-page":"101","article-title":"Towards the ontology of ISO\/IEC 27005: 2011 risk management Standard","volume-title":"Proc. HAISA","author":"Agrawal"},{"volume-title":"Information Security, Cybersecurity and Privacy Protection\u2013guidance on Managing Information Security Risks","year":"2022","key":"ref25"},{"key":"ref26","volume-title":"Computer Security: Principles and Practice","volume":"3","author":"Stallings","year":"2012"},{"volume-title":"Threat Modeling: Designing for Security","year":"2014","author":"Shostack","key":"ref27"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2021.3125229"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-02067-4_1"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3140368.3140372"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2021.3058403"},{"key":"ref32","article-title":"Taxonomy for cybersecurity threat attributes and countermeasures in smart manufacturing systems","author":"Rahman","year":"2023","journal-title":"arXiv:2401.01374"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-7998-3149-5.ch002"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102950"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.21314\/jop.2020.249"},{"volume-title":"Timeline of Cyber Incidents Involving Financial Institutions","year":"2024","key":"ref36"},{"journal-title":"Bangladesh Bank Cyber Heist\u2013Incident Analysis","year":"2021","author":"Balu","key":"ref37"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-26845-8_1"},{"journal-title":"Cybersecurity Compliance in the Financial Sector","year":"2025","author":"Furneaux","key":"ref39"},{"journal-title":"Cyber Risk Measurement and the Holistic Cybersecurity Approach","year":"2017","author":"Boehm","key":"ref40"},{"article-title":"Enhanced cyber threat model for financial services sector (FSS) institutions","year":"2018","author":"Fox","key":"ref41"},{"volume-title":"How to Use Mitre Att&ck in Conjunction With Threat Modeling","year":"2023","key":"ref42"},{"volume-title":"Playbook for Threat Modeling Medical Devices","year":"2021","key":"ref43"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-024-00812-4"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2023.100766"},{"volume-title":"CRI Profile V2.0 Fact Sheet","year":"2024","key":"ref46"},{"volume-title":"Threat-Informed Defense for the Financial Sector: Cri Profile Mappings To Mitre Att&ck","year":"2025","key":"ref47"},{"volume-title":"Proactive Cybersecurity\u2013What is it, and Why You Need It","key":"ref48"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-79915-1_4"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1016\/j.heliyon.2021.e05969"},{"journal-title":"A Hybrid Approach to Threat Modelling","year":"2017","author":"Krishnan","key":"ref51"},{"key":"ref52","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-79915-1","volume-title":"Understanding Cybersecurity Management in Decentralized Finance","author":"Kaur","year":"2021"},{"issue":"2","key":"ref53","first-page":"44","article-title":"Threat modeling and risk assessment of APIs in fintech applications","volume":"2","author":"Ranjan","year":"2022","journal-title":"ESP J. Eng. Technol. Advancements"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC58397.2023.10217945"},{"article-title":"Enterprise threat model technical report: Cyber threat model for a notional financial services sector institution","year":"2018","author":"Fox","key":"ref55"},{"volume-title":"Resiliencia Cibern\u00e9tica En La Infraestructura Financiera","year":"2019","key":"ref56"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-79915-1"},{"article-title":"Mitre att&ck: Design and philosophy","year":"2018","author":"Strom","key":"ref58"},{"volume-title":"Getting Started With Mitre Att&ck","year":"2024","key":"ref59"},{"volume-title":"Mitre Att&ck Matrix for Enterprise","year":"2025","key":"ref60"},{"volume-title":"Strengthening Data Security With Stride and Mitre Threat Models","year":"2025","key":"ref61"},{"volume-title":"Mapping Att&ck Patterns to Your Threat Model","year":"2024","key":"ref62"},{"volume-title":"How to Use Mitre Att&ck in Conjunction With Threat Modeling","year":"2025","key":"ref63"},{"volume-title":"Threat Modeling With Att&ck\u2013Project Resources","year":"2024","key":"ref64"},{"volume-title":"Difference Between Stride and Mitre Att&ck","year":"2018","key":"ref65"},{"volume-title":"Guide to Conducting Cybersecurity Risk Assessment for Critical Information Infrastructure","year":"2020","key":"ref66"},{"key":"ref67","first-page":"1","article-title":"MITRE ATT&CKdriven cyber risk assessment","volume-title":"Proc. 17th Int. Conf. Availability, Rel. Secur.","author":"Ahmed"},{"key":"ref68","article-title":"SoK: The MITRE ATT&CK framework in research and practice","author":"Roy","year":"2023","journal-title":"arXiv:2304.07411"},{"volume-title":"Integrating Cybersecurity and Enterprise Risk Management (ERM)","year":"2021","key":"ref69"},{"volume-title":"Mitre Att&ck Framework: Resources on Assessment and Engineering","year":"2022","key":"ref70"},{"volume-title":"Digital Artifact Ontology | Mitre D3fendT","year":"2025","key":"ref71"},{"volume-title":"What is Mitre D3fend Matrix?","year":"2023","key":"ref72"},{"volume-title":"Mitre Att&ck&D3FEND: Step-by-Step Guide to Closing Security Visibility Gaps","year":"2022","key":"ref73"},{"volume-title":"Offensive Technique Details | Mitre D3fendT","year":"2025","key":"ref74"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.4135\/9781526411228"},{"issue":"2","key":"ref76","first-page":"62","article-title":"Fraudulent financial reporting in the banking sector of Bangladesh: A prediction","volume-title":"Int. J. Manage.","volume":"8","author":"Karim","year":"2021"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.36079\/lamintang.ijlapp-0602.677"},{"key":"ref78","first-page":"1","article-title":"Lessons learned from the Bangladesh bank heist","volume":"6","author":"Kabir","year":"2023","journal-title":"ISACA J."},{"journal-title":"Exclusive\u2013Bangladesh Bank Hackers Compromised Swift Software, Warning Issued","year":"2016","author":"Finkle","key":"ref79"},{"volume-title":"The Equifax Data Breach","year":"2018","key":"ref80"},{"volume-title":"Apache Struts Vulnerability Exploited in Equifax Breach","year":"2017","key":"ref81"},{"volume-title":"Mapping Mitre Att&ck to the Equifax Indictment","year":"2024","key":"ref82"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/6287639\/10820123\/11313056.pdf?arnumber=11313056","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T05:45:24Z","timestamp":1767332724000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11313056\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":82,"URL":"https:\/\/doi.org\/10.1109\/access.2025.3647760","relation":{},"ISSN":["2169-3536"],"issn-type":[{"type":"electronic","value":"2169-3536"}],"subject":[],"published":{"date-parts":[[2025]]}}}