“Can we tell a story without changing the diagram? Can we tell that story without using words such as “sometimes” or “also”? Can we look at the diagram and see exactly where the software will make a security decision? Does the diagram show all the trust boundaries, such as where different accounts interact? Do you cover all UIDs, all application roles, and all network interfaces? Does the diagram reflect the current or planned reality of the software? Can we see where all the data goes and who uses it? Do we see the processes that move data from one data store to another?”

Adam Shostack, Threat Modeling