Print bookPrint book

What is threat modeling?

Site: Privacy Guides Online Learning
Course: Basics of Personal Threat Modeling
Book: What is threat modeling?
Printed by: Guest user
Date: Friday, May 23, 2025, 10:05 AM

Description

A threat model is a list of the most probable threats to your security and privacy endeavors. In this short guide we'll cover the questions you'll need to ask to create this list.

Table of contents

1. Introduction

Balancing security, privacy, and usability is one of the first and most difficult tasks you'll face on your privacy journey. Everything is a trade-off: The more secure something is, the more restricting or inconvenient it generally is, etc. Often, people find that the problem with the tools they see recommended is that they're just too hard to start using!

If you wanted to use the most secure tools available, you'd have to sacrifice a lot of usability. And, even then, nothing is ever fully secure. There's high security, but never full security. That's why threat models are important.

So, what are these threat models, anyway?

A threat model is a list of the most probable threats to your security and privacy endeavors. Since it's impossible to protect yourself against every attack(er), you should focus on the most probable threats. In computer security, a threat is an event that could undermine your efforts to stay private and secure.

Focusing on the threats that matter to you narrows down your thinking about the protection you need, so you can choose the tools that are right for the job.

2. Creating a threat model

To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions:

  1. What do I want to protect?
  2. Who do I want to protect it from?
  3. How likely is it that I will need to protect it?
  4. How bad are the consequences if I fail?
  5. How much trouble am I willing to go through to try to prevent potential consequences?

2.1. What you want to protect

An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices themselves may also be assets.

2.2. Who you want to protect it from

To answer this question, it's important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary”. Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

Depending on who your adversaries are, this list might be something you want to destroy after you've finished developing your threat model.

2.3. The risks you're facing

Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

Assessing risks is both a personal and subjective process. Many people find certain threats unacceptable, no matter the likelihood they will occur, because the mere presence of the threat is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

2.4. Identify the consequences

There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

The motives of adversaries differ widely, as do their tactics. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all of your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

2.5. Put in a reasonable effort

There is no perfect option for security. Consider how much trouble you're actually willing to go through to eliminate these risks. Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy.

For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.