Note: This is a mirror (with minor modifications) of the original article posted by the EFF here.
Trying to protect all your data from everyone all the time is impractical and exhausting. Security is a process, and through thoughtful planning, you can assess what’s right for you. Security isn’t about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.
In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This process is called “threat modeling.”
This guide will teach you how to threat model, or how to assess your risks for your digital information and how to determine what solutions are best for you.
What might threat modeling look like? Let’s say you want to keep your house and possessions safe, here are a few questions you might ask:
What do I have inside my home that is worth protecting?
- Assets could include: jewelry, electronics, financial documents, passports, or photos
Who do I want to protect it from?
- Adversaries could include: burglars, roommates, or guests
How likely is it that I will need to protect it?
- Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? What are the capabilities of my adversaries? What are the risks I should consider?
How bad are the consequences if I fail?
- Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home?
How much trouble am I willing to go through to prevent these consequences?
- Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there?
Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you may not want to invest too much money in a lock. But, if the risk is high, you’ll want to get the best lock on the market, and consider adding a security system.
Building a threat model will help you to understand threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries’ capabilities, along with the likelihood of risks you face.
What is threat modeling and where do I start?#
Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:
- What do I want to protect?
- Who do I want to protect it from?
- How bad are the consequences if I fail?
- How likely is it that I will need to protect it?
- How much trouble am I willing to go through to try to prevent potential consequences?
Let’s take a closer look at each of these questions.
What do I want to protect?#
An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.
Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.
Who do I want to protect it from?#
To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.
Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.
Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done threat modeling.
How bad are the consequences if I fail?#
There are many ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.
The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.
Threat modeling involves understanding how bad the consequences could be if an adversary successfully attacks one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records and thus has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.
Write down what your adversary might want to do with your private data.
How likely is it that I will need to protect it?#
Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.
It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).
Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don’t view the threat as a problem.
Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.
How much trouble am I willing to go through to try to prevent potential consequences?#
Answering this question requires conducting the risk analysis. Not everyone has the same priorities or views threats in the same way.
For example, an attorney representing a client in a national security case would probably be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.
Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.
Threat modeling as a regular practice#
Keep in mind your threat model can change as your situation changes. Thus, conducting frequent threat modeling assessments is good practice.
Create your own threat model based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your threat model and check back in to assess whether it’s still relevant to your situation.
All content is licensed under CC BY (Creative Commons Attribution License).