Skip to content

Threat Model

Building your threat model is something that will likely take some time and thought, and will likely change over time as your life and circumstances change. A threat model is something that can apply to you digitally as well as in real life. In this section, I’ll stay mostly within the digital realm though there may be some crossover. Things really start to change in what you have to do and consider when building a real life threat model.

First, like I’ve mentioned in the disclaimers on this site, when you add more to security, privacy, and/or anonymity, you’re going to experience more of a hassle in what you’re trying to do. If your threat model dictated using something like Qubes, you’re going to have to deal with a lot more headache than using something like Windows. There’s other things that add only a small amount of inconvenience like 2FA, while adding greatly to security.

Next, I’m going to reiterate what I’ve already said multiple times on this site. Nothing is ever 100% secure and everything can be hacked. In the government and business world, cybersecurity staff prepare for when, not if, they get hacked. Give it enough time, and you’re going to experience a cyber incident of some sort. It could either be something you did like download malware, or something completely out of your control, like a service you use gets hacked and your personal information goes with it.

From there, think about what you’re trying to protect, who you’re trying to protect against, what you need to do to protect against these threats, the amount of hassle you’re willing to do to protect yourself from the threats, and what steps you’ll need to take after a cyber incident. Again, prepare for WHEN something happens, not IF it happens. This mindset will help you be a lot more prepared. Now let’s go through each of those items I listed.


There's a popular phrase in the military community that goes, "Two is one, one is none." The idea here is to make sure you have backups for whatever you're doing. In this case, you should have a backup plan for your backup plan and so on. Anything that can go wrong probably will, especially in a bad situation. If something drastic happens in a cyber context (like someone gets access to your financial accounts) and you don't have a plan, you're life is going to be total chaos because you weren't ready and the recovery will take way longer. If you fail to plan, you plan to fail.

What do you want to protect? Is it some emails, is it some personal files you have stored locally or on the cloud, or is it your entire system and all its contents? Take time on this step and with all the other steps. Make a plan on what you’re looking to do.

Who are you trying to protect against? Are you a journalist who’s writing stories that could anger a government agency? Maybe you’re a typical home user who just wants to protect against friends and family from being able to snoop on your computer when you’re not around.

What do you need to do to protect yourself from these threats? This could be something simple, like running an AV and a good firewall to keep intruders out of your device, or it could be something convoluted like using Qubes, routing all your traffic through Tor, and having numerous online identities.

How much hassle are you willing to go through to protect yourself? Are you willing to just do simple things like use 2FA on all your accounts, or are you willing to use Whonix, air gapped computers, or some other extreme measures that will slow you down?

What steps do you need to take after a cyber incident? At minimum you’ll end up needing to change your passwords. You may even need to make new email addresses, change phone numbers, wipe some data, etc.

This might seem like a lot but it’s important to get this figured out. I can see a case why a typical home user might not need to concern themselves with this much. There’s plenty of people who need to plan this out though, among them would be people in a position of higher risk like journalists, senior military officials, business executives, etc.