What is Your Threat Model?

This is the first post in a series I’m working on involving tailoring security and privacy to you. While there are best practices that apply to everyone a good part of our online security and privacy is a personal thing and can vary greatly depending on factors such as who we are, what we do for a living and others.

The Threat Model

According to Wikipedia: “The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker.” In other words, a threat model is knowing what the possible threats are and what they might want from you.

To form a threat model we must ask four questions:

  1. Where are the high-value assets?
  2. Where am I most vulnerable to attack?
  3. What are the most relevant threats?
  4. Is there an attack vector that might go unnoticed?

At the scale of a company or a product these four questions can take a good amount of study and analysis to answer as the difference in threat models at scale can range from very simple to very complex as the number of people involved grows along with the complexity of the product or business doing the modeling.

For individuals however the threat model, while still capable of being extremely complex for some, is often either over thought nearing the point of paranoia (everyone and everything is out to get everything I have) or completely ignored (no one will care about this compromising picture I just put online for the world to see). The truth, as usual, is often somewhere in between. Knowing the threat model for yourself as a person will then lead to common-sense solutions to security and privacy that won’t cross any lines that could needlessly put you and your data at risk.

Two types of threats

For the purposes of this post and it’s follow-ups let’s look at our personal threat model at two points:

Security

First, let’s look at security. Security involves preventing attacks against ourselves and our data that might arise from the opportunistic to, as is often the case, someone we know with malicious intent such as a former employee, family member or friend. For must of us the security model is fairly simple and covers a lot of the tips and techniques we all already know such as maintaining good passwords and more. The point of the security model therefore is to keep you and your data safe from those who wish to cause you harm.

Privacy

While they often sound similar, privacy and security are in fact two different things. In security we’ll talk about keeping you and your data safe from attackers. In privacy we talk about the appropriate use of our data or the misuse that might arise not only from data acquired by an attacker but from the very data we make available to people and companies every day simply by going through our daily lives.

To look at these in other terms we all generate data. The fact you’re reading this site means there is a certain amount of data about you as a visitor that I can collect to know who is using my site. How I use that data then becomes a matter of privacy. On the other hand, just by visiting this site you are providing me no personal data such as passwords, or email address or anything else that you may want to protect. If I tried to obtain that data from you through malicious means that would be a violation not only of your privacy but of your security. Simply put then for the purposes of this series privacy covers the data you’re protecting whereas security covers the locks you put in place to protect that data.

Do you know what is really important to you?

Given our definition of threat model and the differences between security and privacy do you then know what your own threat model is? If you’re a Facebook user, for example, are you aware of the dangers posed by a weak password or simply the posts you make public? What other services do you use to protect yourself and what services get data about you? It’s amazing how much data we all generate but it isn’t something to fear. Knowing where your comfort level is and what you’re sharing as well as the implications of what your sharing combined with what you do to keep yourself safe becomes your own personal threat model. Over the next few weeks I’ll share my own experiences with forming my own threat model as it relates to both my security and privacy as well as plenty of tips and tricks to both form and understand your own personal threat model.

About Chris Wiegman

Chris is a developer for UF Health at the University of Florida who has been working on WordPress since 2008. Over the years he built one of the largest security plugins on WordPress.org as well as numerous other plugins, themes and other solutions. When not coding Chris loves to teach and has presented at numerous WordCamps and other conferences as well as taught computer security for St. Edward’s University and other University courses ranging from computers to aviation.

Find Chris on Facebook, GitHub, WordPress.org, and Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *

  
Please enter an e-mail address