is there any way to have a good effort time estimation of a Threat Modeling and Risk Assessment activity for an internal infrastructure (about 30 active nodes)?
In general, is it possible to find a “best practice” to estimate effort time for an activity that detects threats by using Threat Modelling and estimate the risk of threats by following a standard template, such as OWASP Risk Rating score?
Or, according to your experience, is it better to have a “time material” approach for this type of activities?
Thank you in advance
