Good of them to release this, and I have a dog in the race about getting people to think higher-level about security, but ATT&CK, STRIDE and other frameworks tend to be solipsistic, self propagating bullshit.<p>I would also argue that quantitative security risk models serve mainly as a corporate laundering system to obfuscate risk, do not have any meaningful predictive power, and that security compliance has become a make-work field for the unskilled, whose role is to be both an easy mark and a scapegoat for reckless corporate behaviour.<p>Hopefully it will mature to where designers and engineers themselves build in mitigations, the way some of them have with environmental and safety risks, but as a business, I think security is due for some scrutiny.