Adam Shostack is incredibly smart - and he also happens to be responsible for managing the threat modeling aspect of the SDL these days.  Here's got a nice 10 page paper here on threat modeling - very much worth the read if you're into that sort of thing. http://blogs.msdn.com/sdl/archive/2008/10/08/experiences-threat-modeling-at-microsoft.aspx