Introduction

Nothing is really fully secure. You can have good or even really good security, but you can’t have absolute security. This is where threat models come into play.

A threat model is, as the name suggests, a model for the threats you want to protect against. You can’t protect against every attacker, so the idea of the threat model is to prepare for the most probable attacker (or attackers you particularly don’t want getting in).

Creating a Threat Model

You should begin by asking yourself what information you really value. Generally, the basis should be your PII. You should be asking yourself:

• What do I want to protect?
• Who do I want to protect it from?
• How likely is it that I will need to protect it?
• How bad are the consequences if I fail?
• How much trouble am I willing to go through to try to prevent potential consequences?

What do I want to protect?

Think in terms of specific categories of information. For example,

• Medical records (conditions, prescriptions, diagnoses, etc. you wouldn’t want to share willy nilly);
• Financial credentials (bank logins, crypto wallet seeds, tax records);
• Private communications (messages to partners, friends, or even whistleblower resources);
• Identity links (real name tied to online aliases, esp. if your public work could draw harassment or state attention);
• Location data (GPS traces, home address, school/work commute patterns).

Not every thing needs extreme protection. For example, your school email address is already tied to your identity by design. protecting it like a top-secret key would waste effort. A good threat model prioritizes what really matters to you.

Who do I want to protect it from?

Different adversaries imply different strategies.

• Corporations aggregate behavioral data to profile, manipulate, or sell access to you;
• Governments surveil citizens, censor dissent, and criminalize journalism (just see the US’s history of prosecuting whistleblowers and violating the Fourth Amendment to prosecute journalists they don’t like as well);
• Criminals attack using ransomware, scams, identity theft, etc.;
• Acquaintances would be friends, partners, or coworkers who might misuse access to your devices/accounts;
• Advertisters/Data brokers don’t necessarily “hack” you, but they do quietly track and monetize everything you do.

You usually don’t need to defend your homework from the NSA, but if you’re investigating government misconduct, you might want to. Or, as a milder example, if you want to protection your location data from corporations and advertisers, you’d want to stop using Google Maps.

How likely is it that I will need to protect it?

Estimate realistic probabilities.

• Very likely things would include spam, phishing, data brokerage, and devices theft;
• Moderately likely things would include credentials leaks, account takeovers from reused passwords;
• Less likely things would include targeting by the state, government surveillance, etc. unless you’re politically exposed.

For example, it is certain that your data will be scraped by advertisers if you use any major social platform. It’s less likely that someone will attempt to break into your encrypted disk unless they have a concrete motive.

How bad are the consequences if I fail?

• Losing a troll account? Minor inconvenience.
• Leaking a private photo? Personal and reputational harm.
• Revealing whistleblower communications? Legal risk, physical danger.
• Exposing financial keys of medical data? Irreversible loss.

Knowing the consequences in relation to what you value helps prioritize defense of certain things in your threat model. Full disk encryption is worth the setup pain for sensitive data (it’s actually pretty easy now with something like VeraCrypt) but overkill for public notes.

How much trouble am I willing to go through to prevent potential consequence?

Security is always a tradeoff with convenience.

• Using strong passwords and a manger is very low friction, high payoff;
• Using Tor is higher friction, but justified for certain use cases;
• Avoiding all big tech services (or de-googling!) gives pretty good privacy, but comes at significant social and usability cost (esp. in an rea like Del Norte).

If you threat model involves avoiding corporate surveillance, you might accept the friction of using FOSS tools and self-hosted services. If you’re mostly avoiding credential theft, strong password and MFA might be enough.

Further Reading

• https://ssd.eff.org/module/your-security-plan

Really Simple Threat Model

For exploration purposes. Obviously this is not exhaustive at all, but it should help with getting a general idea.

1. What type of data?
-- choose -- Medical Records Financial Credentials Private Communications Online Aliases Location Data

2. Who is the main adversary?
-- choose -- Big Tech / Advertisers Government / Law Enforcement Criminals / Hackers Personal / Social Contacts

3. Risk Tolerance
Moderate

Select options above to see your model.