Threat Modeling for Everyday People

Threat modeling sounds like something reserved for intelligence agencies and Fortune 500 security teams, but in reality it is one of the most practical exercises any person can do to improve their digital safety. At its core, threat modeling is simply asking — and answering — a handful of structured questions about what you want to protect and from whom.

The Five Key Questions

Every useful threat model starts with the same five questions. You do not need specialized tools or a background in cybersecurity to answer them — just honesty about your own situation.

• What do I want to protect? (Assets — files, messages, identity, location, browsing history, financial data)
• Who do I want to protect it from? (Adversaries — advertisers, data brokers, hackers, an abusive partner, a government)
• How likely is it that I will need to protect it? (Risk — are you a journalist in a hostile country, or a student wanting less tracking?)
• How bad are the consequences if I fail? (Impact — embarrassment vs. physical danger)
• How much trouble am I willing to go through? (Usability trade-offs — convenience vs. security)

Common Threat Profiles

Most people fall into one of a few broad profiles. Identifying yours helps you focus on countermeasures that actually matter instead of chasing every possible hardening guide on the internet.

• General privacy — you want to reduce corporate tracking, data broker exposure, and targeted advertising. Your adversaries are mostly ad-tech companies and data brokers.
• Account security — you want to prevent unauthorized access to your email, banking, and social accounts. Your adversaries are opportunistic hackers and credential-stuffing bots.
• Stalking / domestic threat — you need to prevent a specific person from tracking your location, reading your messages, or accessing your devices. Physical access to devices is a real concern.
• Journalist / activist — you need to protect sources, communications, and sometimes your identity. Your adversaries may include state-level actors with significant resources.
• High-value target — you handle sensitive corporate data, cryptocurrency, or classified information. Targeted, well-funded attacks are plausible.

Turning Your Model into Action

Once you know your profile, map each asset to the specific threats it faces and pick proportionate countermeasures. A good rule of thumb: start with the changes that offer the biggest security improvement for the least effort, then layer on harder measures only where your threat model demands it.

• Use a password manager and enable two-factor authentication on critical accounts (high impact, low effort).
• Switch to a privacy-respecting browser configuration and search engine (moderate impact, low effort).
• Encrypt your devices — full disk encryption on laptops, device encryption on phones (high impact, moderate effort).
• Compartmentalize identities if your threat model requires it (high impact, higher effort).
• Adopt end-to-end encrypted communication for sensitive conversations (high impact, moderate effort).

Revisit Regularly

Threat models are not static. Your life circumstances change — a new job, a move to a different country, a change in relationship status, or even a new piece of legislation can shift your risk profile. Set a reminder to revisit your threat model every six months, or whenever a major life change occurs.