Threat Modelling for Everyday Users

What Is Threat Modelling?

Threat modelling is the process of identifying what you are trying to protect, who you are protecting it from, and what measures are proportionate to the risk. It is borrowed from information security but applies just as well to personal privacy. Without a threat model, you risk either doing too little and leaving yourself exposed, or doing too much and making your digital life unnecessarily difficult.

Your threat model is unique to you. A journalist investigating corruption has different needs from a student wanting to avoid targeted advertising. The key is being honest about your situation and focusing your efforts where they matter most.

The Five Key Questions

Start by answering five questions. First, what do you want to protect? This might be your browsing history, financial information, personal communications, or physical location. Second, who are you protecting it from? Common adversaries include advertisers, your ISP, hackers, employers, or government agencies.

Third, how likely is it that you will need to protect it? If you are an average internet user, mass surveillance by your ISP is certain, while a targeted state-level attack is extremely unlikely. Fourth, how bad are the consequences if you fail? A leaked email password is inconvenient; a leaked financial record could be devastating. Fifth, how much effort are you willing to invest? Privacy measures that you find too burdensome will be abandoned.

Common Threat Profiles

For most people in the UK, the primary threats are ISP data retention under the Investigatory Powers Act, corporate tracking by advertising networks, and opportunistic hacking through credential stuffing or phishing. Defending against these threats requires a VPN, a password manager with 2FA, and basic browser hardening. This covers 90% of realistic threats for the average person.

If you handle sensitive professional information, such as legal, medical, or financial data, your threat model should include protection against targeted attacks. This means encrypted communications, full-disk encryption, and careful control over which devices can access sensitive data. Hardware security keys for authentication are strongly recommended.

Proportionate Responses

The biggest mistake in privacy is pursuing maximum security when moderate security would suffice. Using Tor for everyday browsing is unnecessarily slow if your main concern is avoiding targeted ads. Conversely, if you are a whistleblower, a consumer VPN alone is not sufficient. Match your tools to your actual threats.

Think in layers. A VPN is your first layer, protecting against ISP surveillance. A hardened browser is your second layer, protecting against web tracking. Encrypted messaging is your third layer, protecting your communications. Each layer addresses a specific threat, and together they provide comprehensive protection proportionate to most people's needs.

Reviewing and Updating

Your threat model is not static. Review it when your circumstances change, such as starting a new job, moving to a different country, or becoming involved in activism or journalism. New threats emerge as technology evolves, and tools that were adequate last year may need updating.

Keep an eye on privacy news and legislation. Laws like the UK Online Safety Act can change the threat landscape overnight. Follow organisations like the Electronic Frontier Foundation, Open Rights Group, and Privacy International for timely analysis of emerging threats and practical guidance on how to respond.