It’s challenging to know the place to start to deal with all of them. It’s equally as not easy to know when to stop. Threat modeling may help. Existing critiques is often bucketed into two most important categories: perimeter protection and attack vulnerabilities. Also, it doesn't account for attacks https://www.researchgate.net/publication/365308473_Development_of_Cyber_Attack_Model_for_Private_Network