Threat Modeling

In order to know what tools on this site are right for you, you should understand “threat modeling.” The term “threat model” is just a fancy way to say “what are you hiding and who are you hiding it from?” For example:

While threat modeling can be applied to a wide variety of situations (as shown above), on this site I focus specifically on threat modeling for your personal data. The Electronic Frontier Foundation defines data as “any kind of information, typically stored in a digital form. Data can include documents, pictures, keys, programs, messages, and other digital information or files.” While there are “best practices” that apply to almost (if not) everyone, there’s really no one-size-fits-all threat model for everyone. Some people need more security or privacy, and some need less. Most people want to find a healthy balance between protection and convenience.

The threat model that I focus on in this site is defense against common, non-targeted attacks. For a real world example, I cite infamous serial killer Richard Chase, who stalked the Los Angeles area between 1977 and 1978. One of the reasons he was so difficult to catch was because he didn’t have a pattern. After he was caught he stated that he would just cruise around neighborhoods until he spotted a house he felt compelled to try. If the doors and windows were locked, he would go on his way and try a different house rather than force his way in. My goal with this site is to teach you how to "digitally lock your doors and windows" to protect against yourself against the Richard Chase's of the digital world. In other words, make yourself harder to hack than the other guy so that hackers looking for an easy payday give up and move on to someone else.

What’s your threat model? You can't know how to properly defend yourself against attacks if you don't know what attacks you are likely to face. While I teach the basics here, some readers may need to continue their education after my site, and all readers will have to examine the numerous tools and techniques I share here to figure out which is best for them. You can't know any of that without defining your threat model. So how do you determine your threat model?

If you're still having trouble defining your threat model, this great post from Cupwire suggest a four-level template for determining your threat model. Note that this post is not a hard-and-fast rule, there is a lot of nuance and gray area, and you can feel free to drift in between levels depending on the situation, but it can be extremely helpful in getting started and visualizing where you land.

Large parts of this page were borrowed from or inspired by EFF’S Surveillance Self Defense Guide.