Home / Privacy / Threat Modeling

Threat Modeling

Know Your Adversary, Protect What Matters

14 min read Updated 2024 Essential

What is Threat Modeling?

Threat modeling is a structured process for identifying security threats and vulnerabilities, then determining countermeasures to prevent or mitigate their effects. It answers four fundamental questions:

The Four Questions
  1. What are you protecting? (Assets)
  2. Who are you protecting it from? (Adversaries)
  3. How likely is it you'll need to protect it? (Risk)
  4. What are the consequences if you fail? (Impact)

Identify Your Assets

Assets are anything you want to protect. In digital privacy, these typically include:

Identity

Real name, address, photo, biometrics

Personal

Communications

Emails, messages, call records

Data

Location

Home, work, travel patterns

Physical

Financial

Bank accounts, transactions, assets

Financial

Relationships

Contacts, associates, networks

Social

Activities

Browsing history, interests, habits

Behavioral

Know Your Adversaries

Different adversaries have different capabilities, motivations, and resources:

Adversary Capability Motivation Resources
Corporations High Profit (advertising, data sales) Massive
Governments Very High National security, law enforcement Unlimited
Hackers Variable Financial gain, reputation Limited-High
ISPs Medium Profit, legal compliance Medium
Personal Low-Medium Personal vendetta, stalking Limited
💡

Key Insight: You don't need to defend against everyone. Focus on adversaries relevant to your situation. A journalist protecting sources has different threats than someone avoiding targeted ads.

Assess Risk

Risk is calculated as: Risk = Likelihood × Impact

Likelihood Factors

  • How valuable is your data to the adversary?
  • How visible are you as a target?
  • How easily can the attack be performed?
  • What's the adversary's track record?

Impact Factors

  • What happens if this information is exposed?
  • Can the damage be reversed?
  • Who else might be affected?
  • What are the legal implications?
Risk Matrix 
              LOW IMPACT    HIGH IMPACT
LOW RISK    → Accept        → Monitor
HIGH RISK   → Mitigate      → Prioritize

Choose Countermeasures

For each high-priority risk, select appropriate defenses:

1

Avoid

Don't create the risk in the first place. Don't collect data you don't need. Don't use services that track you.

2

Mitigate

Reduce likelihood or impact. Use encryption, Tor, VPNs, secure messaging. Compartmentalize identities.

3

Transfer

Shift risk to others. Use services with strong privacy guarantees. Insurance for some risks.

4

Accept

Some risks aren't worth the cost of mitigation. Document accepted risks and revisit periodically.

Example Threat Models

Journalist Protecting Sources

Primary Adversary: Government agencies seeking source identity
Key Countermeasures: SecureDrop, Tor, encrypted communications, air-gapped devices

Privacy-Conscious Consumer

Primary Adversary: Corporations tracking for advertising
Key Countermeasures: Ad blockers, Firefox with privacy extensions, privacy-respecting alternatives

Activist in Authoritarian Region

Primary Adversary: State surveillance apparatus
Key Countermeasures: Tor with bridges, Tails OS, encrypted messaging, operational security
Related

Learn More

OPSEC Guide

Operational security practices.

Threat Analysis

Deep dive into specific threats.