What is Privacy Threat Modelling?

By Sydney Butler / November 8, 2018

The world is full of threats and you can't just deal with them when they appear. Instead, one must be proactive and try to predict when and how a threat will be enacted. That's where the idea of threat modeling comes into play.

Creating a threat model is an exercise in trying to understand the threats that you face. In the context of privacy, that would obviously mean creating a model that describes how your privacy is threatened.

Threat models are meant to be used as a starting point to designing defenses against those threats. One of the most interesting things about threat modeling is that it operates from the perspective of the attacker. Giving fascinating insight into the mind of the adversary. For practical purposes, however, it's a focused way to get your house in order and prepare for the worst.

Why Should You Care About Threat Modelling?

How is threat modeling relevant to the average user? First of all, it helps us understand the process and thinking that goes into the software and hardware tools companies create to protect us. Understanding how threat models are used to design defenses also helps us understand why they fail.

The second reason why you should care about threat modeling is that you can use the same type of thinking to design your own privacy defenses. When you choose which protection to use or how much protection you want, a basic threat model can be invaluable.

What Should a Threat Model Have?

While there are plenty of variations and methods when it comes to threat models, there are some core components you need to have for it to qualify.

First, you need to clearly define what you want to protect. That’s a harder question than it seems and we’ll explore in more depth shortly.

The second element of the model is defining the threat itself. What do you expect is going to happen? Following that, you have to ask yourself how likely it is that someone will actually go through with it. Does anyone care?

Your model should also deal with how valuable the thing you want to protect is. To what extent would you go to protect it? What's the cost benefit ratio?

Which leads us to the final piece of the risk assessment. Let us say you do fail and the piece of private info you want to protect is stolen. What will actually happen? How much damage will be caused?

Now we will go over each step in more detail.

Identifying Assets for Protection

What are the privacy "objects" that are likely to be targeted in your possession? This question is not as simple as tallying up your cash and jewelry would be. Instead, you need to think about the various items in your life that can expose private information about you. Your identity documents are an obvious example. Digital scans of those documents in the cloud are of course even more important to think about. Bills that are mailed to you with your address are another example.

Then there are general privacy concepts which someone might target. Information such as when you go on holiday, where you work and who your friends are. You need to put yourself in the shoes of the attacker and imagine what it is you would do with your prize. Speaking of the attacker...

Who is The Enemy?

Anonymous Profile

When it comes to privacy threats there are two types of adversary. The first is a general, faceless group of people who aren't looking to target you in particular.

Email phishing spammers, scammers, dishonest webmasters, and other general internet nasties will put their bait out and attack opportunistically.

All of us have to worry about this sort of thing, no matter who you actually are. These threats are however pretty well understood. There are systems and protocols in place to deal with them already.

Attackers who want to compromise you specifically are a different issue altogether. It means you have to consider the threat from friends, family, colleagues or people who know you directly in some other way.

The Odds of an Attack

Row of Dice

There's a reason the president of a country has a security detail and most normal people don't it's much more likely that such a prominent and powerful person would be attacked by an enemy than a regular citizen.

That's what we mean when we say you should consider what the chances of an attack are. Obviously, purely opportunistic attacks should be defended against as a matter of course. It's a sort of baseline threat we all live with. It stands to reason that if you are the only person without basic protection such as antivirus software or a firewall, then the odds of getting attacked go up.

The real meat of this step comes from determining if you are at risk over and above that baseline level. For example, if you are a public figure or are likely to have determined and resourceful enemies for some reason, you have a higher risk profile.

The Cost of Failure


This is perhaps the most important question of all. You have to consider what the damage would be if the protection you put in place isn't enough.

The answer to this question will provide guidance to the other questions. For example, if the result of a privacy breach would be very disastrous to you, then it follows you would go to greater lengths to prevent it. If that failure would benefit defined groups of individuals, then it increases the likelihood of it happening and points out who your enemies are.

Pulling it All Together

Once you've put down detailed answers for each of these questions, you can start formulating and evaluating solutions that fit your needs.

One thing that will become apparent very quickly is that there is no way you can create perfect protection. Even if you had all of the time, money and resources in the world there will always be vulnerabilities someone can exploit. The key is creating the best security you can with the resources you can realistically commit. You want to protect against the most likely attacks while leaving out the rarest or most difficult ones because they aren't worth spending money or time on.

It's a balancing act that every security team has to go through, but if you are thorough and accurate with your modeling exercise, you'll be stacking the odds strongly in your favor.

Of course, this basic threat modeling approach is applicable to far more than just privacy. You can apply it to everything from safely transporting a VIP to securing a website. The basic mental steps are still the same. Threat modeling is an essential part of adopting a privacy and security mindset, so consider this your first step to being privacy-conscious.

So what do you think about the privacy threat modeling? Let us know in the comments below. Get instant updates on TechNadu’s Facebook page, or Twitter handle. 

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: