Security advice often treats everyone the same. Use a VPN. Encrypt everything. Run Tor. But here is the reality: a freelance graphic designer and an investigative journalist covering organized crime face very different threats and need very different defenses. Spending time and money on security measures that do not match your actual risks is wasteful at best and dangerously distracting at worst.

Threat modeling is the process of systematically thinking about what you need to protect, who might want to compromise it, and what the realistic consequences would be. It is how security professionals prioritize their defenses, and it is something everyone can do.

The Four Key Questions

Every threat model starts with four fundamental questions:

1. What Do I Want to Protect?

These are your assets. For most people, they include email accounts, financial accounts, personal photos and documents, health records, identity information (Social Security number, passport), and digital communications. Make a list. Be specific. The things you care most about protecting should receive the most attention.

2. Who Do I Want to Protect It From?

These are your adversaries. They might be opportunistic criminals running automated credential-stuffing attacks, a jealous ex-partner with knowledge of your habits, a government surveillance program, corporate data brokers, or a targeted attacker with specific interest in your work. Different adversaries have vastly different capabilities. A script kiddie running automated tools is a fundamentally different threat from a nation-state intelligence agency.

3. How Likely Is It That I Will Need To?

This is your risk assessment. Even if a threat exists in theory, how probable is it for someone in your specific situation? Almost everyone faces the risk of credential theft through data breaches. Very few people face the risk of a targeted state-sponsored attack. Focus your energy on the threats most likely to actually affect you.

4. How Bad Are the Consequences If I Fail?

This is your impact analysis. A compromised social media account is inconvenient. A compromised bank account is financially devastating. A compromised email account for a journalist could endanger sources' lives. The severity of potential consequences should drive how aggressively you invest in protection.

Common Threat Models by Persona

Average Person

Primary threats include credential theft through data breaches, phishing attacks, and device loss or theft. Defense priorities should focus on using a password manager with unique passwords for every account, enabling two-factor authentication on all important accounts, keeping devices updated and using screen locks, and being cautious with links and attachments in emails and messages.

Journalist or Activist

In addition to the baseline threats, journalists and activists may face government surveillance, targeted attacks on their communications, and efforts to identify their sources. Defense priorities expand to include end-to-end encrypted messaging for source communications, encrypted storage for sensitive documents, awareness of metadata exposure, compartmentalization of identities, and secure communication practices.

Business Professional

Business travelers and executives face threats such as corporate espionage, targeted spear phishing, and device compromise during travel. Defense priorities include using dedicated travel devices with minimal data, VPN usage on untrusted networks, awareness of shoulder surfing and visual eavesdropping, and careful management of what information is shared publicly on professional networks.

High-Net-Worth Individual

Wealth attracts targeted scams, SIM-swapping attacks to take over phone-based authentication, and physical security concerns that intersect with digital security. Defense priorities include hardware security keys instead of SMS-based authentication, limited public exposure of personal information, enhanced privacy settings across all platforms, and coordination between physical and digital security measures.

Applying Your Threat Model

Once you have answered the four questions, you can make informed decisions about where to invest your security effort:

  • Match security measures to actual risks — If your primary threat is credential theft from data breaches, a password manager and two-factor authentication provide enormous protection. If you face targeted surveillance, you need end-to-end encryption and operational security practices.
  • Do not over-invest in unlikely threats — If you are not being targeted by a nation-state, you probably do not need to communicate exclusively through Tor and air-gapped computers. Disproportionate security measures add friction and can cause you to abandon them entirely.
  • Focus on highest-impact vulnerabilities first — Address the areas where a breach would cause the most damage. For most people, securing their primary email account is more important than encrypting their hard drive, because email is the recovery mechanism for almost everything else.

The Security and Convenience Balance

Security that is too inconvenient will not be used. This is not a character flaw; it is human nature. The goal is not maximum security but appropriate security.

  • Security has diminishing returns — Going from no password manager to using one is a massive security improvement. Going from a strong password manager to an air-gapped system for password generation provides marginal improvement for most people at enormous cost in convenience.
  • Find your personal sweet spot — The right level of security is the one you will actually maintain consistently. A moderately secure setup that you use every day beats a highly secure setup that you abandon after a week.
  • Reassess periodically — Your threat model changes as your circumstances change. A new job, a move to a different country, a change in public visibility, or a shift in the political landscape can all alter your risk profile. Review your threat model at least once a year.

A Practical Framework

To put threat modeling into practice right now, try this exercise:

  1. List your top five digital assets — What accounts, data, or devices would hurt most to lose? For most people, this is their primary email, banking, cloud storage, social media, and phone.
  2. Identify the most likely threat to each — For email, it might be a phishing attack. For banking, it might be credential reuse from a data breach. For your phone, it might be theft.
  3. Implement proportional defenses — Enable two-factor authentication on your email and banking. Use unique passwords everywhere via a password manager. Set up a screen lock and enable remote wipe on your phone. These three steps alone address the most likely threats for the vast majority of people.

The Takeaway

Threat modeling is not about achieving perfect security. It is about making deliberate, informed choices about where to direct your limited time and attention. By understanding your specific risks, you can stop worrying about exotic threats that do not apply to you and focus on the defenses that will actually make a difference in your life.

Security is personal. Your threat model should be too.

Share this article