Personal Threat
Modeling
Most security advice is generic. Threat modeling is the opposite β it's a framework for thinking clearly about your specific risks, so you can protect what actually matters without wasting energy on threats that don't apply to you.
The landscape
The five questions every threat model starts with
What do I want to protect?
Your assets β files, accounts, location, communications, identity, financial data.
Who do I want to protect it from?
Your adversaries β ex-partners, employers, advertisers, criminals, governments, or opportunistic hackers.
How likely is it that I'll need to protect it?
Probability β a realistic assessment, not worst-case paranoia. Most people face mundane threats.
How bad are the consequences if I fail?
Impact β financial loss, reputational damage, physical safety, loss of privacy, professional consequences.
How much trouble am I willing to go through?
Your tolerance for friction β the right security is always a trade-off between protection and convenience.
Framework adapted from the Electronic Frontier Foundation's Surveillance Self-Defense guide.
Why Generic Security Advice Isn't Enough
"Use a VPN." "Enable two-factor authentication." "Don't click suspicious links." This kind of advice shows up everywhere β and it's not wrong, exactly. But it treats security as a checklist rather than a thinking exercise, which means you end up either over-protecting things that don't matter or ignoring risks that are genuinely relevant to your life.
A journalist investigating government corruption has very different security needs than a parent worried about their teenager's online activity. A small business owner handling client financial data faces different threats than someone who just wants to keep their email private from advertisers. No single checklist covers all of these well.
Threat modeling solves this by asking you to think before you act: What are you protecting? From whom? At what cost? The answers to those questions determine which security measures are worth your time and which ones are overkill β or worse, security theater that gives false confidence without real protection.
π― The core insight of threat modeling
Perfect security doesn't exist. Every security measure has a cost β in money, convenience, time, or complexity. Threat modeling helps you spend those costs where they actually matter for your specific situation, and consciously accept the risks that aren't worth mitigating.
Step 1: Identify Your Assets
An asset is anything you value and would want to protect. In the context of personal digital security, this is broader than most people initially assume.
Start by making an honest inventory. Don't filter yet β just list what matters to you. You'll prioritize later.
πDigital accounts
- βΊEmail (the master key to everything else)
- βΊBanking and financial accounts
- βΊSocial media profiles
- βΊWork accounts and cloud storage
- βΊDomain names or business accounts
πPersonal data
- βΊPhotos and personal files
- βΊHealth and medical records
- βΊLocation history and movement patterns
- βΊContacts and private communications
- βΊDocuments (passport, ID, contracts)
πͺͺIdentity
- βΊYour legal name and address
- βΊDate of birth and government IDs
- βΊBiometric data (fingerprints, face ID)
- βΊSocial security / national ID numbers
- βΊFinancial history and credit data
π€Reputation & relationships
- βΊProfessional reputation
- βΊPrivate conversations you'd regret being public
- βΊAssociations or memberships you keep private
- βΊYour online personas or pseudonyms
- βΊRelationships you want to keep confidential
βοΈ Do this now: write your asset list
Not all assets are equal β prioritize ruthlessly
Once you have your list, mark each asset with a rough priority: high, medium, or low. High-priority assets are things where exposure would cause serious, hard-to-reverse harm β identity theft, physical danger, significant financial loss, or permanent reputational damage. Low-priority assets might be embarrassing if exposed but wouldn't cause lasting harm.
Your email account almost always deserves high priority β it's the recovery mechanism for virtually every other account. Lose control of your email and you effectively lose control of your digital identity. This is why email security is where most people should start.
Step 2: Know Your Adversaries
"Hackers" is not a threat model. It's a vague fear that leads to either paranoia or complacency. Real threat modeling requires identifying specific adversaries β or categories of adversaries β so you can understand their capabilities, motivations, and methods.
Opportunistic criminals
Capability: LowβMediumMotivation
Financial gain through automated attacks β credential stuffing, phishing at scale, malware distribution.
Who they target
Weak passwords, reused credentials, unpatched software, email inboxes.
Affects
Almost everyone
Core defense
Strong unique passwords, MFA, software updates. Most automated attacks move on quickly if you're not easy.
Targeted criminals
Capability: MediumβHighMotivation
Financial gain through targeted fraud β SIM swapping, spear-phishing, account takeover of specific people.
Who they target
High-value individuals β crypto holders, executives, public figures, people who have publicly announced wealth.
Affects
People who are identifiably high-value targets
Core defense
Hardware security keys, account freezes with carriers, separating high-value accounts from everyday accounts.
People you know
Capability: VariableMotivation
Control, jealousy, harassment, revenge β often an intimate partner, ex-partner, stalker, or estranged family member.
Who they target
Devices they have physical access to, shared accounts, location data, communications.
Affects
People in difficult personal relationships, domestic abuse situations
Core defense
Device PINs, removing shared account access, checking for tracking apps, separate accounts.
Employers and institutions
Capability: MediumMotivation
Compliance, monitoring, liability reduction β usually not malicious but still a privacy concern.
Who they target
Work devices, work accounts, network traffic on company networks.
Affects
Anyone using employer-owned devices or networks
Core defense
Never use work devices for personal matters. Assume work accounts are monitored.
Data brokers and advertisers
Capability: High (data collection), Low (direct harm)Motivation
Profit from your data β building profiles for advertising, selling to third parties.
Who they target
Browsing behavior, location, purchase history, social connections.
Affects
Virtually everyone who uses free digital services
Core defense
Privacy browsers, ad blockers, VPNs, opting out of data broker records, using aliases for newsletters.
Nation-state actors
Capability: Extremely HighMotivation
Surveillance, intelligence gathering, political control β beyond most people's threat model.
Who they target
Journalists, activists, dissidents, people in authoritarian contexts, high-value targets.
Affects
A small minority of people β but those affected face very high stakes
Core defense
Requires a significantly elevated security posture: encrypted devices, air-gapped computers, encrypted communications, and professional security guidance.
π‘ Most people's primary adversary is automated opportunism
Step 3: Assess Likelihood Realistically
One of the most common threat modeling mistakes is assessing likelihood based on fear rather than evidence. People worry about sophisticated nation-state hackers when they haven't yet set up MFA on their email. The anxiety is directed at the dramatic threat, while the mundane threat β which is far more likely to actually cause harm β goes unaddressed.
Likelihood assessment means asking, honestly: given who I am, what I have, who might want it, and what my current security posture looks like β how probable is this threat actually materializing?
Factors that increase likelihood
Reused passwords
A single breach exposes all your accounts using that password. Credential stuffing attacks test breached passwords against hundreds of services automatically.
Public visibility
Being identifiably high-value β publicly announcing wealth, having a large audience, being a public official β increases targeted attack risk substantially.
Outdated software
Known vulnerabilities in unpatched software are actively exploited. Most attacks don't use novel exploits β they use known ones against unpatched systems.
Adversary proximity
Threats from people who know you personally have higher likelihood for specific assets (like your device PIN or relationship history) than from strangers.
Sensitive profession or activity
Journalists, lawyers, activists, healthcare workers, and executives are more likely to be targeted for what they know or do professionally.
Past breaches
If your credentials appeared in previous breaches (check haveibeenpwned.com), the likelihood of credential attacks against you is meaningfully higher.
βοΈ Calibrate, don't catastrophize
Step 4: Evaluate Impact
Likelihood tells you how probable a threat is. Impact tells you how bad it would be if it happened. Together, these two dimensions give you a risk rating for each threat β and a clearer picture of where to focus your energy.
Four dimensions of impact
Financial impact
Low impact
Fraudulent charge, reversible with bank support (< $500)
Medium impact
Account takeover leading to wire transfer or crypto theft ($500β$10k)
High impact
Identity theft enabling loans, tax fraud, or large-scale financial fraud ($10k+, years to resolve)
Privacy impact
Low impact
Advertisers gain more data about your browsing preferences
Medium impact
Personal photos, private messages, or embarrassing content exposed to a limited audience
High impact
Sensitive information (medical, sexual, political) exposed publicly or to people who could use it for coercion
Safety impact
Low impact
Minor personal discomfort or embarrassment
Medium impact
Stalking or harassment enabled by exposed location or contact information
High impact
Physical danger β location exposed to a violent adversary, or disclosure that puts you at legal risk in your country
Professional / reputational impact
Low impact
Minor embarrassment, quickly forgotten
Medium impact
Professional reputation damaged, job loss possible
High impact
Career-ending exposure, legal consequences, business destruction
Risk matrix β likelihood Γ impact
| Likelihood β / Impact β | Low impact | Medium impact | High impact |
|---|---|---|---|
| High likelihood | Monitor | Address Soon | Priority #1 |
| Medium likelihood | Accept | Monitor | Address Soon |
| Low likelihood | Accept | Accept | Monitor |
Step 5: Choose Your Mitigations
A mitigation is a control β something you do or use that reduces either the likelihood or the impact of a threat. This is where the "what to do" answers live β but only after you've done the thinking above. Mitigations chosen without a threat model are guesswork. Mitigations chosen with one are targeted investments.
Not every risk needs a technical solution. Sometimes the right mitigation is behavioral (not discussing certain topics on certain channels), organizational (keeping certain files offline), or social (limiting who knows certain information about you).
Reduce likelihood
- βΊStrong unique passwords remove credential stuffing risk
- βΊMFA stops most account takeover attempts
- βΊSoftware updates close known exploit paths
- βΊPrivacy settings limit data broker collection
Reduce impact
- βΊBackups mean ransomware can't hold you hostage
- βΊSeparate accounts limit blast radius of any single breach
- βΊCredit freezes limit identity fraud damage
- βΊEncryption makes stolen data unreadable
Accept the risk
- βΊAcknowledge the risk consciously rather than ignoring it
- βΊAppropriate for low-likelihood, low-impact threats
- βΊOr where mitigation cost outweighs the risk
- βΊDocument what you've decided and why
π Security is iterative, not a one-time event
Common Personal Threat Profiles
Most people fall into one or more of these general profiles. Finding yours gives you a useful starting point β though your actual threat model will be more specific.
The everyday user
FoundationPrimary threats
Credential theft, phishing, account takeover
Usually not a priority
Targeted attacks, nation-state surveillance
Top priorities
- βPassword manager + unique passwords for every account
- βMFA on email and financial accounts
- βSoftware updates on all devices
- βPhishing awareness
The remote worker
Foundation +Primary threats
Network interception on public Wi-Fi, device theft, work data exposure
Usually not a priority
Physical surveillance, state-level actors
Top priorities
- βVPN on public networks
- βFull-disk encryption on work laptop
- βSeparate work and personal accounts
- βScreen lock and physical awareness in public
The small business owner
ElevatedPrimary threats
Ransomware, BEC (business email compromise), client data breach, financial fraud
Usually not a priority
Sophisticated nation-state espionage (usually)
Top priorities
- βOffline backups tested regularly
- βEmail authentication (SPF, DKIM, DMARC)
- βMulti-person approval for wire transfers
- βCyber insurance review
The public figure or journalist
HighPrimary threats
Targeted harassment, doxxing, surveillance by hostile state actors, source compromise
Usually not a priority
Automated commodity attacks (still worth defending, just not the priority)
Top priorities
- βHardware security keys for critical accounts
- βEncrypted communication for sensitive sources
- βSeparate identities for public/private life
- βPhysical security awareness
The person in a difficult relationship
Situation-specificPrimary threats
Intimate partner surveillance, device monitoring, location tracking, account access
Usually not a priority
External hackers are rarely the primary concern
Top priorities
- βAudit devices for tracking apps or spyware
- βChange all account passwords (from a safe device)
- βReview shared accounts and revoke access
- βSeek guidance from a domestic abuse support organization if needed
Tools Matched to Threat Levels
The right tool depends on your threat level. Using Signal for every conversation when your threat is opportunistic credential stuffing is overkill that adds friction without proportional benefit. Not using MFA when you're a high-value target is negligence. Here's how to match tools to threat levels.
Foundation β Everyone
Password manager
Bitwarden (free), 1Password, or Dashlane. Unique passwords for every account.
MFA authenticator app
Google Authenticator, Authy, or your phone's built-in. On email and banking first.
Encrypted DNS
Cloudflare 1.1.1.1 or Quad9. Prevents your ISP logging every site you visit.
Privacy browser
Firefox with uBlock Origin, or Brave. Blocks tracking scripts and malicious ads.
Elevated β Remote workers, business owners
VPN
Mullvad or ProtonVPN for public network use. Not a magic shield, but protects traffic from local observers.
Full-disk encryption
FileVault (Mac), BitLocker (Windows). Essential if a device could be stolen.
Encrypted email
ProtonMail or Tutanota for sensitive business communications where you need actual E2EE.
Secure cloud storage
Tresorit or Proton Drive for documents with client or financial data.
High β Public figures, journalists, activists
Hardware security key
YubiKey or similar FIDO2 key. Eliminates phishing risk for critical account logins.
Signal
End-to-end encrypted messaging with disappearing messages for sensitive source communications.
Tor Browser
For research that shouldn't be attributed to your IP address. Slower, but genuinely anonymizing.
Separate devices
Dedicated device for high-sensitivity work, completely isolated from personal accounts and activity.
Your Personal Action Plan
A threat model that never becomes action is just an interesting thought exercise. Here's a structured way to move from analysis to implementation without burning out.
This week
- Write your asset list β what you'd most regret losing or having exposed
- Identify your two or three most likely adversaries
- Check haveibeenpwned.com β if your email is in breaches, change those passwords first
- Enable MFA on your email account
This month
- Install and set up a password manager, migrate your most important accounts
- Enable MFA on banking, work accounts, and social media
- Enable full-disk encryption on your laptop and phone
- Review what apps have access to your location β revoke what's unnecessary
Ongoing
- Review your threat model twice a year or after significant life changes
- Keep all software updated β enable auto-updates where possible
- Audit shared account access annually
- Stay aware of major breaches affecting services you use
π§ Done is better than perfect
The bottom line
Security isn't about fear.
It's about clarity.
Threat modeling gives you a rational way to answer the question "what should I actually do about security?" β based on your specific life, your specific risks, and your specific tolerance for friction. The goal isn't paranoia. It's making confident, informed decisions about what's worth protecting and what isn't.