What Is a Threat Model and Why You Need One

Most privacy advice falls into one of two traps. Either it’s so basic it’s useless (“use strong passwords”), or it assumes you’re running an underground press in an authoritarian country. Neither helps the average person figure out what they should actually do.

That’s where threat modeling comes in.

A threat model is just a structured way of answering four questions: What do I have that’s worth protecting? Who might want it? What happens if they get it? How much work is it worth spending to stop them? Once you answer those, the right tools and practices follow naturally.

What You’re Protecting

Start with assets. These are the things you want to keep private or secure. Make a list specific to your life:

• Your location history
• Financial accounts and records
• Private messages with family or friends
• Medical information
• Work files or intellectual property
• Your identity itself (to prevent doxxing or impersonation)

Not everything on that list deserves equal protection. Your medical records probably matter more than your Netflix watch history. That’s fine. The point is to have a concrete list, not to treat everything as equally sensitive.

Who Wants It

Now think about adversaries. This is where most people get unrealistic in both directions.

Common realistic adversaries include:

Data brokers and advertisers. They want your behavioral data to build ad profiles. They’re not targeting you specifically — they’re harvesting everyone. The threat is passive: if your data is out there, they’ll collect it.

Criminals running mass phishing or credential-stuffing. Again, not targeted. They send a million phishing emails hoping a few percent bite. Reused passwords and unpatched devices are the attack surface.

An employer or future employer. Depending on your profession, what you post publicly might affect hiring. This adversary has limited capability but some motivation.

An ex-partner or estranged family member. More motivation than capability, but often more persistent. This is the threat model behind a lot of stalkerware and social engineering.

A government agency. Much higher capability, but unless you’re doing something illegal or politically sensitive, the motivation is usually low. Relevance depends heavily on your location and activities.

The critical word is realistic. If you’re a private citizen in a stable country with no unusual activities, a nation-state hacking your Signal messages is not a useful thing to plan around. Credential stuffing against your reused passwords is.

What Happens If They Succeed

Walk through the consequences for each adversary getting what they want.

Data brokers getting your location data means you see more targeted ads and your data might get sold to health insurers or employers. Annoying and potentially harmful, but not immediately dangerous for most people.

A criminal getting your email password could mean account takeover, which might cascade to financial accounts if you reuse passwords or use email for password reset. This is the realistic worst case for most people.

Someone doxxing you means your home address and personal details go public. For most people this is an annoyance. For someone with an online presence or in a contentious profession, it can mean harassment campaigns.

Thinking through consequences helps you prioritize. High-consequence, realistic threats get effort. Low-consequence or unrealistic threats don’t.

How Much Effort Is Reasonable

Security and privacy always involve tradeoffs. A Faraday cage in a basement is more private than a smartphone, but it’s also not how most people want to live.

The right question is: what’s the minimum set of changes that adequately addresses your realistic threats?

For most people with a standard threat model, the short list looks like this:

• A password manager so every account has a unique, strong password
• Two-factor authentication on email and financial accounts
• Basic awareness of phishing (don’t click weird links, verify senders)
• Some thought about what you share publicly on social media

That’s the 80/20 version. It handles the most common threats without turning your digital life into a burden.

If your threat model is more specific, the list changes. Someone managing their social media presence might also want to lock down their real name and location. A journalist might add encrypted communications. A domestic violence survivor might need help with location privacy and device security.

Putting It Together

The practical output of a threat model is a short list of changes to make, ranked by impact. Not a 47-point checklist, not “install Tails and use Tor for everything.” A realistic, prioritized plan.

Here’s a simple format:

Protect: Email account, financial accounts, private messages Realistic threats: Credential stuffing, phishing, account takeover Consequences: Financial loss, account lockout, identity theft Actions: Password manager, unique passwords, 2FA on everything critical

That’s a useful threat model. You can act on it this week.

Threat modeling isn’t a one-time exercise. Revisit it when your circumstances change — new job, new relationship, shift in your online activities, or if something makes you feel specifically targeted. It’s a habit of thinking, not a document you file and forget.

The goal isn’t paranoia. It’s proportionality: spending the right amount of effort protecting the right things from the right people.