We often fishtail through our security architecture, from trust designs to threat models and back to trust designs. Let me explain.
The first thing we seem to do (particularly on the web) when designing security is to suggest that we encrypt all communications. Why is beyond me, since data-in-transit is probably the least of our security problems. But that is what we do. During implementation, however, we find out that the overhead associated with encryption is too high to meet the needs of our (new) application, so we shift into threat mode, suggesting that we will just catch all the bad stuff through monitoring. Of course, that doesn’t work, so we eventually shift back to some combination of both, mixing the trust and the threat in a way that makes sense to the enterprise.