File:NIST Cybersecurity Framework Structure.png

Threat Modeling is the systematic process of identifying assets, understanding adversaries, and prioritizing protective measures. Essential for both digital security and physical preparedness.

Security is not about preventing all attacks - it's about making attacks cost more than they're worth. The goal is to understand your specific situation, not apply generic checklists.

"Security is a trade-off. The question is what you're trading away." — Bruce Schneier

Every threat model answers:

1. What are you protecting? (Assets)
2. Who wants to harm you? (Adversaries)
3. How might they attack? (Threats)
4. What's your current exposure? (Vulnerabilities)
5. What can you realistically do? (Mitigations)

Asset Type	Examples	Impact if Compromised
Communications	Email, messages, calls	Privacy loss, relationship damage
Credentials	Passwords, keys, tokens	Account takeover, identity theft
Documents	Notes, drafts, source material	Source exposure, competitive harm
Financial	Banking, crypto, payment info	Direct monetary loss
Location	GPS data, check-ins, photos	Physical safety, stalking risk
Identity	SSN, passport, biometrics	Identity theft, impersonation

• Equipment - Laptop, phone, cameras, storage devices
• Documents - IDs, contracts, source notes
• Location - Home address, travel patterns, meeting spots
• Relationships - Sources, contacts, family

Different adversaries have different capabilities and motivations:

Adversary	Motivation	Capabilities	Time Horizon
Random criminals	Financial gain	Automated tools, phishing	Opportunistic
Targeted hackers	Specific data	Custom attacks, persistence	Weeks-months
Corporations	Data monetization	Legal subpoenas, tracking	Ongoing
State actors	Surveillance, control	Unlimited resources, 0-days	Years
Personal threats	Revenge, control	Physical access, social eng	Variable

Level 1 - Script Kiddie: Uses existing tools, no custom development. Defeated by basic security hygiene.

Level 2 - Skilled Attacker: Can adapt tools, conduct targeted phishing. Requires dedicated defenses.

Level 3 - Sophisticated Actor: Custom malware, 0-day exploits, infrastructure. Requires compartmentalization.

Level 4 - Nation State: Unlimited budget, legal authority, physical access. Focus shifts to detection and resilience.

	Low Impact	Medium Impact	High Impact
High Probability	Accept/Monitor	Mitigate	Priority
Medium Probability	Accept	Accept/Monitor	Mitigate
Low Probability	Accept	Accept	Accept/Monitor

Accept: Risk is tolerable, no action needed Monitor: Watch for changes, prepare response Mitigate: Implement protective measures

Phishing: Social engineering via email, SMS, calls. Defense: Verify independently, use hardware keys.

Credential Theft: Password reuse, weak passwords, keyloggers. Defense: Password manager, unique passwords, 2FA.

Device Compromise: Malware, physical access, supply chain. Defense: Updates, full disk encryption, secure boot.

Network Surveillance: ISP monitoring, public WiFi interception. Defense: VPN, Tor, end-to-end encryption.

Metadata Exposure: Location in photos, connection patterns, timing. Defense: Strip metadata, compartmentalize activities.

Device Seizure: Border crossings, arrests, theft. Defense: Encryption, travel devices, cloud backup.

Surveillance: Cameras, tracking devices, following. Defense: Countersurveillance awareness, pattern disruption.

Social Engineering: Impersonation, pretexting, manipulation. Defense: Verification protocols, skepticism.

First contact: Never use personal devices. SecureDrop, Signal (new number), or air-gapped systems.

Ongoing communication: Compartmentalized identities, encrypted channels, in-person when possible.

Documentation: Encrypted storage, no cloud services, physical security for notes.

Legal protection: Understand shield laws, document newsgathering purpose.

• Need to know: Limit who knows what you're working on
• Cover stories: Plausible explanations for research activities
• Digital compartmentalization: Separate devices/accounts for sensitive work
• Travel security: Burner devices, encrypted cloud, physical safety

THREAT MODEL: [Project/Situation Name]
Date: YYYY-MM-DD
Review Date: [Quarterly]

ASSETS:
1. [Asset] - [Sensitivity: Low/Med/High]
2. ...

ADVERSARIES:
1. [Who] - [Motivation] - [Capability Level 1-4]
2. ...

PRIMARY THREATS:
1. [Threat] - [Probability: L/M/H] - [Impact: L/M/H]
   Current Mitigation: [What you're doing]
   Gap: [What's missing]
2. ...

ACTION ITEMS:
- [ ] [Specific action] - [Due date]
- ...

ASSUMPTIONS:
- [What you're assuming is true/safe]
- [Review if situation changes]

• Password manager with unique passwords
• 2FA on critical accounts (email, financial)
• Device encryption (FileVault, BitLocker, LUKS)
• Regular backups (encrypted, tested)
• Software updates enabled

• Hardware security keys (Yubikey)
• Signal for messaging, ProtonMail for email
• Compartmentalized devices/accounts
• VPN for network privacy
• Secure deletion practices

• Air-gapped systems for sensitive work
• Regular security audits
• Physical security protocols
• Incident response plan
• Legal/organizational support network

• PGP - Encrypted communications
• Yubikey - Hardware authentication
• Digital Security Incident Runbook - When things go wrong

• EFF Surveillance Self-Defense
• Freedom of the Press Foundation
• CPJ Journalist Security Guide
• Bruce Schneier's writing on security trade-offs

Security & Opsec
Crypto	PGP · PGP Communication Guide · Key Management
Incident	Security Incident Runbook · Threat Modeling · Account Recovery
Hardware	Flipper Zero · HackRF · Yubikey
Culture	Hacker Culture · Operational Security