Identify security objective(s)

This step helps keep focus. The main security goal, when making a threat model for authentication, could be something like “Minimize unauthorised and improper use, disclosure, modification, and destruction of content by insiders, based on a set of access policies defined by the organisation and by laws and regulations”