In the context of application security engineer, which principle most directly governs app security engineer threat modeling practices?