Threat Modeling: How to Know What You Actually Need to Protect¶
A practical framework for figuring out what you're actually protecting, who you're protecting it from, and how much effort that genuinely warrants.
π The Basics¶
What It Is¶
Threat modeling is a structured way of assessing your personal situation: what you have that's worth protecting, who might want it, and what the realistic consequences are if they get it. It's the difference between applying someone else's checklist and actually understanding your own situation.
A threat model is a way of thinking that shapes every tool choice and habit you develop. Once you have one, even a rough one, you stop asking "is this app safe?" and start asking the right question: 'safe enough for what I'm trying to do, against who I'm worried about?'
How It Works¶
The Electronic Frontier Foundation's Surveillance Self-Defense guide breaks threat modeling into five questions. Together they take you from vague concerns to a clear, calibrated picture of what you need.
1. What do you want to protect?¶
Start with your assets, the specific things that would cause real harm if exposed. Your physical location. The contents of your messages. Financial account access. Health information. Work documents. The contacts and sources you communicate with. It's important to be concrete. "Everything" isn't a useful answer, and treating everything as equally sensitive means you'll burn out trying to protect things that don't really matter to you.
2. Who do you want to protect it from?¶
People are quite binary about this, they often assume they're being targeted by nation-states (most aren't) or assume nobody cares about their data at all (they're definitely wrong about that).
Your actual adversaries might be commercial data brokers harvesting behavioral data at scale. They might be opportunistic criminals looking for easy targets. They could be a specific motivated individual: an abusive ex, a stalker, a hostile employer. In rarer cases, for journalists and activists, they're state-level actors with real technical resources. Each of these adversaries requires a completely different response.
3. How likely is it that you'll need to protect it?¶
This question is really asking for honest risk assessment. Not reassurance, but also not paranoia. Most people aren't being actively targeted by sophisticated surveillance operations. Recognizing that is accurate calibration, not naivety. At the same time, someone who attends political protests or is documenting workplace misconduct should answer this very differently than someone whose main concern is spam.
4. How bad are the consequences if you fail?¶
A leaked embarrassing photo is not the same as a disclosed location to someone who wants to harm you. A breached email account is not the same as an exposed source network for a journalist. High-risk scenarios justify real inconvenience. Lower-risk scenarios don't require the same investment. Being honest here keeps you from over-protecting things that don't matter, while actually protecting the things that do.
5. How much effort are you willing to sustain?¶
A tool that offers better protection in theory but gets abandoned in two weeks offers zero protection. Sustainable moderate security beats theoretical maximum security you don't actually use. And the people you communicate with have to be willing to use your tools too, or they're useless.
Understanding Common Archetypes¶
Answering those five questions can help you craft a threat model. Most people fall roughly into one of these profiles, or archetypes. These are generic illustrations not meant to be taken too literally, it's just to make the concept of a threat model more tangible. If you'd rather work through the five questions interactively and get placed among these archetypes automatically, the SPA Quiz is the fastest path to a personalized starting point.
The Everyday User¶
Primarily worried about data brokers, advertising surveillance, and account compromise. Their adversaries are commercial collectors and opportunistic criminals. What they normally need: a password manager, two-factor authentication on important accounts, a privacy-respecting browser and search engine, and better messaging habits with friends and family. That covers many meaningful improvements for the majority of people.
The Working Professional¶
Has work accounts, company devices, and professional responsibilities that raise the stakes beyond the everyday user baseline. Their adversaries are largely the same, but a professional email compromise or device breach now carries consequences beyond just personal data. What they normally need is everything the everyday user has, plus deliberate separation between work and personal devices and accounts, and stronger habits around passwords and two-factor authentication specifically for work credentials.
The Family Guardian¶
Managing digital safety not just for themselves, but for a household that includes people with different skill levels like children or less tech-savvy family members. Their adversaries include data brokers, predatory platforms harvesting family data, and account compromise rippling across shared devices. What they normally need is everything the everyday user has, extended to the whole household: a family-friendly password manager, parental controls on shared devices, age-appropriate messaging tools, and the patience to help others build habits they'll actually stick with.
The Professional Handling Sensitive Data¶
A lawyer, therapist, accountant, or executive will need everything above, plus safe channels for client communications and careful separation of work and personal devices. Sophisticated surveillance probably isn't their concern; inadvertent leaks and credential attacks are. A public-facing role also means extra attention to security, since higher visibility creates more incentive for targeting.
The Journalist or Activist¶
May face adversaries with genuine technical resources, potentially including state actors. They need strong operational security, end-to-end encrypted communications with strong metadata protection, anonymous browsing capability, and sustained discipline across every device they use. The more advanced sections of this wiki become directly relevant here.
The Person Leaving a Dangerous Situation¶
Needs to protect their location and communications from a specific, highly motivated individual who may already have access to their devices and accounts. Checking for monitoring software, securing accounts, managing location metadata carefully, and understanding what data is stored where are immediate priorities.
The Complicated, Dynamic Reality¶
Few people fit cleanly into a single archetype. Most are everyday users who are also working professionals, or family guardians with some sensitive data to protect. Blends are the norm, which is why the quiz produces hybrid scores rather than a single label.
Threat models also change. A new job, a relationship shift, a more public profileβany of these can change what matters and who's looking. Revisiting your model periodically and being honest when your situation changes is part of the practice.
π― Why It Matters¶
Two people download the same app, a family location-sharing tool: the kind that lets parents see where their kids are, lets couples share their commute, lets friends coordinate meetups. These can be convenient and can even keep people safe.
For one of those people, it stays that wayβthey get injured on a run and their partner was able to find them quickly. But for the other, a woman who has quietly left an abusive relationship and moved to a new address, that app is still running on a device her ex has access to. The same feature designed to keep families safe is now telling someone potentially dangerous exactly where she is.
Same app. Same decision to install it, but completely different stakes.
This is why "is this app safe?" is almost never the right question. Every tool exists in context of something else. The right question is always: 'safe enough for my situation, against the specific risks I actually face?' Without a threat model, you're really just guessing.
There are consequences of guessing wrong. Applying a journalist's security setup to an everyday situation creates exhausting overhead that leads to abandoning all of it. And if you apply an everyday user's setup to a high-risk situation it can leave dangerous gaps that look like protection. This is why developing a sense for a threat model is one of the most important parts of the journey that should never be skipped.
One of the most underrated benefits of establishing a good threat model is it tells you when you've done enough (for now). Privacy advice has no natural stopping point, you can always add another layer, switch to a more obscure tool, restrict another service, and a threat model can help give you a healthy stopping point, at least until you re-assess.
π‘ Common Misconceptions¶
"There's a correct threat-modeling framework I need to find."¶
There normally isn't. The EFF's five questions, STRIDE, LINDDUN, and most other frameworks are useful for working through your situation, but it's rare for one of them to function as a definitive answer. Generally, the point is to develop a way of thinking that becomes second nature, not to find the "right form" to fill in.
"Threat modeling means picking better tools."¶
Tools come last. Thirty minutes of honest brainstorming about what you actually have at stake and who could realistically come after it will shape your tool choices far more than starting with "should I switch to Signal" or "do I need Tor." Pick the problem first, and the right tools become obvious once you do.
"If I'm not a journalist or activist, I don't need a threat model."¶
Everyone has a threat model whether they've articulated it or not. The everyday user has data brokers, credential thieves, and platform surveillance to think about. Those are real adversaries, just very different from a state actor. Saying "this doesn't apply to me" is actually itself part of a threat modelβjust likely an unexamined one.
"Once I have a threat model, I'm done."¶
Threat models drift. A new job, a public profile, a relationship change, a move to a different country...any of these can change what matters and who's looking. Revisiting your model on something like an annual cadence (or any time your life changes) is part of the practice.
π£οΈ Henry's Take¶
Threat modeling is one of those concepts that gets cited constantly but executed rarely. If two people actually share the same threat model, the difference between most of their tool choices is likely pretty small. When I'm lurking in communities online and I read polarized discussions about whether a tool is "good" or "safe"βit's almost always a threat model mismatch posing as a tool debate. One of the most dangerous patterns I see is people with higher threat models imposing their requirements on others who genuinely don't need the same degree of protection.
The frameworks in this article are training wheels. You use them while building the muscle, and over time you stop needing the explicit checklist and start making calls automatically. That's the long-term goal: not a finished threat-model artifact in Obsidian, but a way of thinking that's internalized. Once you get there, most of the debates the community loves to have over tools become largely noise. The single highest-leverage thing you can do is spend thirty minutes brainstorming honest answers to the five questions before touching any tool. People who do this once read every privacy recommendation differently from then on.
β Henry's Picks¶
Threat modeling is one of the rare topics where the "tool" is a structured exercise, not a piece of software.
- SPA Quiz: A short, situation-based assessment that translates "what's my life like" into actionable advice to help craft your first threat model. The fastest path to a personalized starting point.
- EFF Surveillance Self-DefenseβYour Security Plan: The five-question framework explained above, in EFF's own words. Free, well-written, and as practical as any resource on the internet for self-assessment.
- A blank document and thirty minutes. Brainstorm honest answers to the five questions. Doing it once changes how you read every privacy recommendation from then on.
π Go Deeper¶
Related wiki articles:
Techlore content:
- Go Incognito v2, Lesson 1.6βThe Convenience Tradeoff & Building Your Threat Model
External sources:
Found an error? Report it here β