Six-Domain Threat Model Analysis
- Six-Domain Threat Model is a multidomain framework that segments systems into six interacting realms to capture cross-domain threat propagation.
- Its analytical workflow integrates domain-specific asset identification, threat actor profiling, and quantitative risk scoring to reveal inter-domain vulnerabilities.
- Sectoral instantiations tailor the model for smart grids, IIoT, 6G ISAC, and cloud-first organizations, demonstrating its adaptability to diverse operational contexts.
Searching arXiv for the cited threat-modeling papers and related six-domain/multi-domain work to ground the article in current preprints. arXiv search query: (Ríos et al., 2024) A Six-Domain Threat Model is a multidomain security representation that partitions a target system into six interacting realms and analyzes threats as cross-domain phenomena rather than as isolated technical events. In contemporary arXiv literature, the expression does not denote a single canonical taxonomy. Instead, six-domain formulations are specialized to the system under study: smart-grid analysis supports a partition into physical/electrical, OT/control, ICT/cyber, customer/AMI, market/business/data, and organizational/policy/human layers; strategic-foresight work defines Physical, Cultural, Economic, Social, Political, and Cyber; and related frameworks adapt six-domain reasoning to IIoT, computing platforms, 6G ISAC, and distributed cloud-first organizations (Ríos et al., 2024, Onwubiko et al., 2022, Saurabh et al., 2023, Musavi et al., 2018, Keskin et al., 20 Nov 2025, Beyer, 20 Jun 2026).
1. Domain structure and conceptual scope
The central idea is that a “domain” is not merely an asset class but a field with its own rules, interfaces, and threat logic. In the strategic-foresight formulation, the six domains are explicitly Physical, Cultural, Economic, Social, Political, and Cyber, and the framework treats each as both a source and a target of threats (Onwubiko et al., 2022). In sectoral cyber-physical systems, the six-way partition is usually operational rather than societal: the reconstructed smart-grid model distinguishes Physical / Electrical, OT / Control, ICT / Cyber, Customer / AMI, Market / Business / Data, and Organizational / Policy / Human; the IIoT TMAP mapping uses Physical / Process, Control / OT, Network / Communication, IT / Cloud / Enterprise, Human / Organizational, and Supply Chain / External; Lamellae separates Applications, OS & Hypervisor, Firmware, Hardware Devices, Management / Control, and CPU / Microarchitecture; and TRACE yields Protocol & Application Logic, Cloud & Infrastructure Control-Plane, CI/CD & Software Supply-Chain, Identity / Access & Trust-Edge, Governance & Authority Distribution, and Human Operations & External Dependencies (Ríos et al., 2024, Saurabh et al., 2023, Musavi et al., 2018, Beyer, 20 Jun 2026).
Across these formulations, the six-domain pattern is stable in one respect: it rejects a single-layer “cyber-only” view. Threats are instead modeled as traversals between materially different domains, such as network-to-OT movement in industrial systems, firmware-to-OS privilege abuse in computing platforms, or protocol-to-organizational failure in decentralized operations. This suggests that the defining property of a six-domain model is not a fixed vocabulary, but a six-part decomposition that preserves cross-domain causality.
| Source | Six-domain decomposition | Emphasis |
|---|---|---|
| Smart grids (Ríos et al., 2024) | Physical / Electrical; OT / Control; ICT / Cyber; Customer / AMI; Market / Business / Data; Organizational / Policy / Human | Cyber-physical utility operations |
| TMAP for IIoT (Saurabh et al., 2023) | Physical / Process; Control / OT; Network / Communication; IT / Cloud / Enterprise; Human / Organizational; Supply Chain / External | Asset-centric industrial path analysis |
| Lamellae (Musavi et al., 2018) | Applications; OS & Hypervisor; Firmware; Hardware Devices; Management / Control; CPU / Microarchitecture | Hardware-software architectural attacks |
| Strategic foresight (Onwubiko et al., 2022) | Physical; Cultural; Economic; Social; Political; Cyber | Socio-technical situational awareness |
| 6G ISAC extension (Keskin et al., 20 Nov 2025) | Physical Environment / Devices; Cyber-Physical Control; Radio / Physical-Layer; Network / Protocol; Data / AI / ML; Human / Organizational / Supply Chain | Transportation security for ISAC |
| TRACE-derived (Beyer, 20 Jun 2026) | Protocol & Application Logic; Cloud & Infrastructure Control-Plane; CI/CD & Software Supply-Chain; Identity / Access & Trust-Edge; Governance & Authority Distribution; Human Operations & External Dependencies | Distributed, cloud-first organizations |
2. Core modeling primitives
A six-domain model becomes analytically useful only when it specifies what is being modeled inside and across domains. The smart-grid adversarial reconstruction expresses the attacker along four dimensions—motivation, goals, knowledge, and capabilities—captured by the tuple (Ríos et al., 2024). TRACE makes the modeling vocabulary more explicit by elevating Threat actors, Roles, Assets, Critical invariants, and Edges to first-class objects, where an invariant may be treated as a predicate over system states and a threat is a path to some with (Beyer, 20 Jun 2026). Lamellae, in turn, focuses on privileged relationships rather than on conventional data flows and enumerates eight relation types: Physical, Logical, Sequential, Configuration, Control, Reflective, Access, and Protective (Musavi et al., 2018).
These primitives are complementary. Threat actors and roles describe agency; assets and invariants specify what must be preserved; edges and privileged relations describe how influence crosses trust boundaries. The distinction between authorization and authority is particularly important in modern multidomain models. TRACE treats authority as what a role can cause even when permission checks are formally satisfied, which makes “authorized-but-malicious” behavior a first-class threat instead of an edge case (Beyer, 20 Jun 2026). Lamellae reaches a similar conclusion from the opposite direction: architectural attacks often exploit legitimate, by-design privileged relations between hardware, firmware, and software rather than straightforward software defects (Musavi et al., 2018).
The result is a broader threat semantics than traditional component-centric enumeration. In smart grids, attacker feasibility is tied to real vulnerabilities in SCADA, RTUs, PLCs, PAS, AMI, DRS, and GIS rather than to abstract attacker powers alone (Ríos et al., 2024). In industrial CPS, STRIDE threats are applied to DFD elements and then extended into ATT&CK ICS attack paths (Saurabh et al., 2023). In computing platforms, the design structure matrix captures which component can influence which other component, so that “layer violations” and couplings become directly visible (Musavi et al., 2018).
3. Analytical workflow and quantitative apparatus
The literature offers several concrete workflows for constructing six-domain or six-domain-compatible models. TMAP defines a six-step process consisting of Architectural setup, Data Flow Diagrams (DFDs), Asset identification, Threat modeling, Attack path creation, and Vulnerability scoring (Saurabh et al., 2023). The method begins with a Purdue-based industrial architecture, uses the Microsoft Threat Modeling Tool to generate STRIDE threats from DFDs, maps those threats to MITRE ATT&CK for ICS tactics and techniques, and then prioritizes them with CVSS base, temporal, and environmental metrics (Saurabh et al., 2023).
Lamellae replaces DFD-centric analysis with a hardware-software system security architecture encoded as a Design Structure Matrix. Its workflow proceeds through determination of the target platform, component identification, relation identification, DSM construction, and HINS-based attacker-centric analysis (Musavi et al., 2018). The matrix is then sequenced and inspected for upper-triangular privilege structure, lower-triangular violations, couplings, removed tears, and conditional executions. This is a structural method: dependencies are analyzed as privileged relations among code execution units rather than as application-level data exchanges (Musavi et al., 2018).
TRACE introduces a sequential, gated workflow spanning protocol, systems, and organizational layers: Scope and source inventory, Ingest sources, Construct the TRACE model, STRIDE identification and ranking, Attack trees, Collusion and coordination analysis, and Roadmap and report (Beyer, 20 Jun 2026). Its distinctive feature is an evidence-and-traceability discipline. Each actor, role, asset, invariant, and edge is linked to evidence, and unsupported claims are either removed, rewritten as assumptions, or left as open questions (Beyer, 20 Jun 2026).
The multidimensional strategic-foresight framework contributes a different kind of method. It organizes analysis around the six domains together with Business, Operational, Technological, and Human factors, and it distinguishes intra-domain from inter-domain situational awareness (Onwubiko et al., 2022). Intra-domain awareness supports localized perception, comprehension, and prediction; inter-domain awareness supports “strategic foresight,” that is, prediction based on relationships across domains rather than within a single one (Onwubiko et al., 2022). Quantification is uneven across the literature: TMAP uses CVSS numerically, Lamellae relies on structural matrix diagnostics, and TRACE emphasizes ranking, evidence, and reviewer-gated judgment rather than a single closed-form risk score.
4. Cross-domain attack surfaces and propagation
A six-domain threat model is most informative when it captures not only threats within domains but also attack propagation across domain boundaries. The smart-grid reconstruction is explicit on this point. Its primary attack surfaces are SCADA, GIS, AMI, RTU, PLC, PAS, and DRS, and the vulnerability study identifies 50 products, 164 CPEs, and 203 CVEs across those components (Ríos et al., 2024). Within that corpus, 81.2% of vulnerabilities are exploitable remotely, 60% of CVEs require no user interaction, and the CIA-impact distribution includes high impact on Availability for 48.3% of CVEs, high impact on Integrity for 37.1%, and high impact on Confidentiality for 44.8% (Ríos et al., 2024). Those values ground the claim that adversarial capability must be modeled against real implementations, not only against hypothetical attacker intent.
TMAP presents the same logic in path form. In the electric-power case study, attack paths traverse SCADA, RTU, PLC, sensors, actuators, and cloud components, with cross-domain movement from network compromise to OT manipulation and then to physical effects (Saurabh et al., 2023). Its ATT&CK ICS mapping includes tactics such as Initial Access, Lateral Movement, Inhibit Response Function, Impair Process Control, and Impact, and techniques such as Exploit Public-Facing Application, Remote Services, Rogue Master, Program Download, Modify Alarm Settings, Damage to Property, and Loss of Safety (Saurabh et al., 2023). This is a direct expression of multidomain attack logic: paths are defined by transitions across interfaces, not merely by isolated exploit instances.
The 6G ISAC transportation framework makes these cascades explicit at the radio-control boundary. It identifies three primary domains—cyber-physical, physical-layer, and protocol—and then shows how a physical-layer perturbation can cascade upward. Under jamming or spoofing, the received signal may be written as , where the attacker’s signal corrupts both communication and sensing (Keskin et al., 20 Nov 2025). Spoofed echoes can create ghost objects, corrupted channel state can trigger erroneous handovers or beam tracking, and higher-layer cryptography may remain satisfied while the analog sensing channel is already compromised (Keskin et al., 20 Nov 2025). The six-domain extension proposed there adds Physical Environment / Devices, Cyber-Physical Control, Radio / Physical-Layer, Network / Protocol, Data / AI / ML, and Human / Organizational / Supply Chain, precisely to capture such cascades (Keskin et al., 20 Nov 2025).
TRACE generalizes the same pattern to modern organizations. Its canonical cross-layer failure is that a compromised laptop at the organizational layer accesses CI in the systems layer and ships malicious code that violates protocol invariants at the protocol layer (Beyer, 20 Jun 2026). Here, the “attack surface” is no longer a network perimeter but a set of trust, authority, value, and control edges. Six-domain analysis therefore shifts attention from bounded components to cross-domain edges where harmful capability accumulates.
5. Sectoral instantiations
In smart grids, six-domain reasoning emerges from the decomposition of a cyber-physical utility into physical power assets, OT control infrastructure, ICT services, consumer-side metering, business and market functions, and the human-regulatory layer. The reconstructed model is motivated by a stated gap between academic threat proposals and practitioner agreement, attributed in part to simulation models that do not evaluate threats using attackers’ full capabilities and goals (Ríos et al., 2024). Within this setting, attacker classes include APTs, cybercriminals, hacktivists, insiders, and opportunistic attackers, and the dominant goals include operational disruption, financial gain, espionage or pre-positioning, and safety sabotage (Ríos et al., 2024).
In IIoT and industrial CPS, the six-domain model is procedural as well as architectural. TMAP’s power and manufacturing case studies show how a Purdue-layered system can be decomposed into Physical / Process, Control / OT, Network / Communication, IT / Cloud / Enterprise, Human / Organizational, and Supply Chain / External domains and then populated with DFD assets, STRIDE threats, ATT&CK ICS attack paths, and CVSS severity values (Saurabh et al., 2023). The paper explicitly excludes detailed human-behavior modeling in the IoM case study, which clarifies both the method’s scope and one of its boundaries (Saurabh et al., 2023).
In computing platforms, Lamellae demonstrates that six-domain decomposition can be much lower in the stack. Its x86-64 case study separates application, system software, firmware, hardware devices, out-of-band management, and CPU-level domains, then encodes their relations in a DSM (Musavi et al., 2018). This exposes attack vectors such as BIOS/UEFI bootkits, SMM rootkits, DMA-based attacks, Intel ME compromise, ACPI abuse, and hypervisor rootkits as abuses of privileged hardware-software relationships rather than as ordinary application attacks (Musavi et al., 2018). The methodology is therefore especially suited to architectural attacks in which the critical question is not “what data flows where” but “which component can control or reinterpret which other component.”
In strategic-foresight analysis, the six domains are societal rather than technical: Physical, Cultural, Economic, Social, Political, and Cyber (Onwubiko et al., 2022). The framework overlays these domains with Business, Operational, Technological, and Human factors and treats cross-domain situational awareness as the basis of cyber foresight (Onwubiko et al., 2022). This formulation broadens the threat model beyond technical compromise to include cybersecurity culture, ESG expectations, regulatory pressure, geopolitical cyber operations, and economic incentives. It is therefore suited to strategic planning, policy, and governance rather than only to system design.
In 6G ISAC transportation, the literature begins with a three-domain security view—cyber-physical, physical-layer, and protocol—and then refines it into six conceptual domains by separating devices, control, radio, protocol, data/AI/ML, and human or supply-chain factors (Keskin et al., 20 Nov 2025). The integrated security framework is organized around Authentication Fusion, Cross-Layer Key Generation, Cross-Layer Anomaly Detection, and Dynamic Security Adaptation, each of which consumes evidence from more than one domain (Keskin et al., 20 Nov 2025). A six-domain formulation is thus not merely descriptive; it becomes a design basis for joint protection across sensing, communication, control, and trust.
In distributed, cloud-first, and decentralized organizations, TRACE shows that six-domain analysis can be organized around control planes, supply chains, identity edges, governance, and operational ceremony rather than around classical network zones (Beyer, 20 Jun 2026). The major failure modes are authorized-but-malicious actors, collusion, CI/CD and supply-chain compromise, control-plane takeover, and operational mishandling of high-value actions (Beyer, 20 Jun 2026). The six-domain partition derived from TRACE makes these surfaces explicit and ties them to critical invariants such as deployment integrity, approval integrity, bounded authority, and recovery ability.
6. Limitations, misconceptions, and research directions
A common misconception is that a Six-Domain Threat Model implies one universal set of six domains. The literature does not support that view. Smart grids, IIoT, computing platforms, socio-political foresight, 6G ISAC, and cloud-first organizations all use different six-way decompositions because the dominant trust boundaries and failure modes differ by sector (Ríos et al., 2024, Saurabh et al., 2023, Musavi et al., 2018, Onwubiko et al., 2022, Keskin et al., 20 Nov 2025, Beyer, 20 Jun 2026). The shared principle is multidomain analysis, not terminological uniformity.
A second misconception is that six-domain modeling is inherently quantitative. In practice, quantification is partial and method-dependent. TMAP provides CVSS-based threat scoring but does not specify a formal aggregation rule for attack-path probability or cost (Saurabh et al., 2023). The strategic-foresight framework is explicitly conceptual and does not provide a detailed quantitative methodology for risk scoring or for measuring “level of foresight” (Onwubiko et al., 2022). TRACE uses ranked threats, attack trees, reviewer gates, and evidence traceability, but it also notes the lack of empirical validation, inter-analyst agreement metrics, and fully reproducible severity calibration (Beyer, 20 Jun 2026). Lamellae, similarly, does not introduce a numeric risk score formula; its prioritization is structural and qualitative (Musavi et al., 2018).
A third limitation is incomplete treatment of human and organizational behavior. TMAP explicitly excludes human behavior from detailed modeling in its IoM case study (Saurabh et al., 2023). The smart-grid reconstruction identifies disagreement between practitioners and academic experts on the feasibility and consequences of proposed threats and attributes part of that gap to inadequate simulation models (Ríos et al., 2024). TRACE addresses organizational reality more directly, but its organizational-layer analysis depends on access to real processes, people, and evidence, which may be unavailable in opaque settings (Beyer, 20 Jun 2026).
Current research directions point toward richer cross-domain integration rather than toward simplification. TMAP identifies prediction of financial losses and business-performance impact as future work (Saurabh et al., 2023). The 6G ISAC literature argues that AI should be treated as a first-class security layer and highlights distributed ISAC, near-field ISAC, PQC latency trade-offs, and non-repudiation as open problems (Keskin et al., 20 Nov 2025). TRACE proposes future formalization of invariants and edges in machine-checkable schemas and closer integration with empirical evaluation and collusion analysis (Beyer, 20 Jun 2026). Taken together, these developments indicate that six-domain threat modeling is evolving toward more explicit treatment of authority, supply chain, AI-mediated control, and socio-technical governance, while retaining its defining claim: modern threats are best understood as multidomain processes with interacting technical, physical, organizational, and institutional consequences.