Threat Modeling

File:NIST Cybersecurity Framework Structure.png

Structured approach to security risk assessment

Threat Modeling is the systematic process of identifying assets, understanding adversaries, and prioritizing protective measures. Essential for both digital security and physical preparedness.

Core Philosophy

Security is not about preventing all attacks - it's about making attacks cost more than they're worth. The goal is to understand your specific situation, not apply generic checklists.

"Security is a trade-off. The question is what you're trading away." — Bruce Schneier

The Five Questions

Every threat model answers:

What are you protecting? (Assets)
Who wants to harm you? (Adversaries)
How might they attack? (Threats)
What's your current exposure? (Vulnerabilities)
What can you realistically do? (Mitigations)

Asset Identification

Digital Assets

Asset Type	Examples	Impact if Compromised
Communications	Email, messages, calls	Privacy loss, relationship damage
Credentials	Passwords, keys, tokens	Account takeover, identity theft
Documents	Notes, drafts, source material	Source exposure, competitive harm
Financial	Banking, crypto, payment info	Direct monetary loss
Location	GPS data, check-ins, photos	Physical safety, stalking risk
Identity	SSN, passport, biometrics	Identity theft, impersonation

Physical Assets

Equipment - Laptop, phone, cameras, storage devices
Documents - IDs, contracts, source notes
Location - Home address, travel patterns, meeting spots
Relationships - Sources, contacts, family

Adversary Analysis

Different adversaries have different capabilities and motivations:

Adversary	Motivation	Capabilities	Time Horizon
Random criminals	Financial gain	Automated tools, phishing	Opportunistic
Targeted hackers	Specific data	Custom attacks, persistence	Weeks-months
Corporations	Data monetization	Legal subpoenas, tracking	Ongoing
State actors	Surveillance, control	Unlimited resources, 0-days	Years
Personal threats	Revenge, control	Physical access, social eng	Variable

Capability Levels

Level 1 - Script Kiddie: Uses existing tools, no custom development. Defeated by basic security hygiene.

Level 2 - Skilled Attacker: Can adapt tools, conduct targeted phishing. Requires dedicated defenses.

Level 3 - Sophisticated Actor: Custom malware, 0-day exploits, infrastructure. Requires compartmentalization.

Level 4 - Nation State: Unlimited budget, legal authority, physical access. Focus shifts to detection and resilience.

Risk Assessment

Probability × Impact Matrix

	Low Impact	Medium Impact	High Impact
High Probability	Accept/Monitor	Mitigate	Priority
Medium Probability	Accept	Accept/Monitor	Mitigate
Low Probability	Accept	Accept	Accept/Monitor

Accept: Risk is tolerable, no action needed Monitor: Watch for changes, prepare response Mitigate: Implement protective measures

Common Threat Vectors

Digital

Phishing: Social engineering via email, SMS, calls. Defense: Verify independently, use hardware keys.

Credential Theft: Password reuse, weak passwords, keyloggers. Defense: Password manager, unique passwords, 2FA.

Device Compromise: Malware, physical access, supply chain. Defense: Updates, full disk encryption, secure boot.

Network Surveillance: ISP monitoring, public WiFi interception. Defense: VPN, Tor, end-to-end encryption.

Metadata Exposure: Location in photos, connection patterns, timing. Defense: Strip metadata, compartmentalize activities.

Physical

Device Seizure: Border crossings, arrests, theft. Defense: Encryption, travel devices, cloud backup.

Surveillance: Cameras, tracking devices, following. Defense: Countersurveillance awareness, pattern disruption.

Social Engineering: Impersonation, pretexting, manipulation. Defense: Verification protocols, skepticism.

Journalist-Specific Considerations

Source Protection

First contact: Never use personal devices. SecureDrop, Signal (new number), or air-gapped systems.

Ongoing communication: Compartmentalized identities, encrypted channels, in-person when possible.

Documentation: Encrypted storage, no cloud services, physical security for notes.

Legal protection: Understand shield laws, document newsgathering purpose.

Operational Security

Need to know: Limit who knows what you're working on
Cover stories: Plausible explanations for research activities
Digital compartmentalization: Separate devices/accounts for sensitive work
Travel security: Burner devices, encrypted cloud, physical safety

Personal Threat Model Template

THREAT MODEL: [Project/Situation Name]
Date: YYYY-MM-DD
Review Date: [Quarterly]

ASSETS:
1. [Asset] - [Sensitivity: Low/Med/High]
2. ...

ADVERSARIES:
1. [Who] - [Motivation] - [Capability Level 1-4]
2. ...

PRIMARY THREATS:
1. [Threat] - [Probability: L/M/H] - [Impact: L/M/H]
   Current Mitigation: [What you're doing]
   Gap: [What's missing]
2. ...

ACTION ITEMS:
- [ ] [Specific action] - [Due date]
- ...

ASSUMPTIONS:
- [What you're assuming is true/safe]
- [Review if situation changes]

Implementation Priorities

Baseline (Everyone)

Password manager with unique passwords
2FA on critical accounts (email, financial)
Device encryption (FileVault, BitLocker, LUKS)
Regular backups (encrypted, tested)
Software updates enabled

Elevated (Journalists, Activists)

Hardware security keys (Yubikey)
Signal for messaging, ProtonMail for email
Compartmentalized devices/accounts
VPN for network privacy
Secure deletion practices

High Risk (Known Targets)

Air-gapped systems for sensitive work
Regular security audits
Physical security protocols
Incident response plan
Legal/organizational support network

PGP - Encrypted communications
Yubikey - Hardware authentication
Digital Security Incident Runbook - When things go wrong

References

EFF Surveillance Self-Defense
Freedom of the Press Foundation
CPJ Journalist Security Guide
Bruce Schneier's writing on security trade-offs

Security & Opsec
Crypto	PGP · PGP Communication Guide · Key Management
Incident	Security Incident Runbook · Threat Modeling · Account Recovery
Hardware	Flipper Zero · HackRF · Yubikey
Culture	Hacker Culture · Operational Security