Skip to content
The Security Editor

Fundamentals

Threat modeling for normal people

You can't defend your documents until you know who you're defending them from. A practical, low-jargon guide to writing your first threat model.

By Alex Trustwell 6 min read beginner
On this page
  1. What are you actually protecting?
  2. Who are you protecting it from?
  3. How bad is it if they get it?
  4. How much work are you willing to do?
  5. Putting it together
  6. What threat modeling is not

Security advice that skips threat modeling is security advice you cannot trust, because the person giving it does not know who you are. “Use a password manager” is right for almost everyone. “Keep your tax returns on an air-gapped laptop in a safe” is right for almost no one. Threat modeling is how you tell the difference.

You do not need a degree in computer science to write a threat model for yourself or your family. You need to answer four questions, in plain English, on a piece of paper.

What are you actually protecting?

Most people, asked what they want to keep private, answer “everything”. That answer is useless because it makes every problem look equally urgent.

Instead, list specific things. You can be concrete:

  • Tax returns for the last seven years
  • Photos of my kids
  • Our family’s bank statements and investment records
  • The drafts of a book I am writing
  • Medical records for my mother, whom I care for
  • My clients’ intake forms (for a solo practice)
  • The spare key for a commercial storage unit (scanned into a PDF)

Every item on that list is an asset. You will defend them differently, because they matter for different reasons. Losing the book draft is a productivity disaster. A stranger getting the medical records is a privacy harm. The photos of the kids are irreplaceable, so they are mainly a backup problem rather than a confidentiality problem.

You will find that writing the list forces a useful decision: what does not need to be on the list at all. Memes saved from group chats; recipes scraped from food blogs; the PDF of the product manual for a toaster. These do not need protection. Stop thinking about them.

Who are you protecting it from?

A threat model without a named adversary is not a threat model; it is anxiety. Be specific:

  • A lost or stolen device. A very common threat for most people. The “attacker” is whoever finds your laptop on a train.
  • Opportunistic malware. A phishing email, a cracked software download, a family member clicking on something they should not have. No one is targeting you; you happened to be in the way.
  • A targeted criminal. Someone doing tax fraud at scale who bought your details in a breach. They are not going to interview your neighbors, but they will happily drain an account.
  • A hostile individual. An ex-partner, a stalker, a litigious business contact. They know things about you. They will use them.
  • A nation-state or an investigator. Rare for most readers, but not rare if you are, say, a dissident or a journalist working on a sensitive story. This is the only category where your threat model really does require professional advice.

How bad is it if they get it?

For each asset, each adversary: what actually happens if they succeed?

The honest answers range from “I lose an afternoon” to “I lose my job” to “someone gets physically hurt”. Write the answer down next to the asset. Graduate the consequences; not everything is a catastrophe.

A useful question to ask here is “How long does the harm last?” A leaked medical record is a harm that compounds over years. A leaked business forecast is a harm that resolves in a quarter. A leaked password is a harm that ends when you rotate the password — if you notice.

This is also the question where compliance rules start to matter. If the documents contain health information under HIPAA, or EU residents’ personal data under GDPR, or card data under PCI DSS, the consequence of a breach is not just “bad”; it is “bad plus regulatory action”. Articles in the Compliance topic unpack each of those regimes in plain English.

How much work are you willing to do?

Security costs you something. Money, time, convenience, the patience of the people you live with. A plan that ignores those costs is a plan that will not survive three weeks of normal life.

Be honest about what you will and will not do:

  • Will you run a password manager? Almost certainly yes; the daily cost is low once it is set up.
  • Will you use a hardware security key for your most important accounts? For a small cost (around $50) and a tolerable workflow change, yes.
  • Will you enable full-disk encryption? On every modern Mac and most Windows laptops, it is already on. Leave it on.
  • Will you maintain an encrypted off-site backup? Probably yes; it runs itself once set up.
  • Will you use a separate, hardened laptop only for banking? Usually no. The benefit is real but narrow; most people will not keep it up.

When you identify an asset whose consequences are severe, it is worth doing more work to protect it. When the consequences are mild, accept that you are not going to build Fort Knox around a meme folder.

Putting it together

Your threat model fits on one page. Something like:

Who I am: a freelance editor with a small list of paying clients.

What I care about: client manuscripts, signed NDAs, invoices with bank details on them, and my own tax records.

Who I worry about: opportunistic malware on my work laptop; a stolen laptop at a café; a phishing email that tricks me into giving up a cloud login; a disgruntled former client trying to cause trouble.

What I’m willing to do: full-disk encryption everywhere (already on); a password manager with unique passwords on every account; a hardware security key on email and cloud storage; an encrypted off-site backup; client files in a client-side-encrypted cloud folder; MFA on everything that supports it.

What I’m not going to do: maintain a separate banking computer, run my own mail server, or try to live without a smartphone.

Now every security article you read is easier to act on, because you can tell which parts apply to you.

If you are not sure what “full-disk encryption” or “client-side encryption” mean, those are the next articles to read. The Encryption topic takes them one by one, starting plain and going deeper.

What threat modeling is not

It is not a one-off exercise. You should expect to revise your model a couple of times a year, and any time your life changes in a meaningful way: a new job, a new client with strict data rules, a divorce, a child old enough to have their own accounts, a move to a new country.

It is also not a promise of safety. A good threat model is a plan, and plans break. What a threat model gives you is the ability to notice that a plan has broken, and to update it — instead of sitting in the “everything feels unsafe” fog that is where most people live by default.

Pick up a piece of paper. Draw four columns. Start with three assets. The rest comes from there.

Sources

  1. EFF — Surveillance Self-Defense: Your Security Plan
  2. NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments
  3. CISA — Cybersecurity Best Practices