Threat Modeling for Regular People: A Practical Framework

Last updated: June 2026

Threat modeling is a systematic way of thinking about what you’re protecting, who might want to compromise it, and what controls make sense given those specifics. It’s standard practice in enterprise security. It’s almost entirely absent from personal security advice, which tends to consist of generic recommendations that don’t account for individual circumstances.

The problem with generic security advice — “use a VPN,” “enable 2FA,” “don’t reuse passwords” — is that it doesn’t tell you whether a particular control is worth the cost for you, specifically. Threat modeling does.

The Framework

Threat modeling for individuals comes down to five questions:

1. What are you protecting?

Make a concrete list. Financial accounts. Personal communications. Medical records. Location data. Your professional reputation. Physical access to your home. The data that’s on your laptop. Think through what a compromise of each would actually cost you.

This step matters because the answer is different for everyone. A journalist’s threat model around source communications is completely different from a regular employee’s threat model around their email. Generic advice doesn’t serve either of them well.

2. Who might want to access it, and why?

Threat actors for personal security typically fall into a few categories:

  • Opportunistic attackers who are not targeting you specifically but will take advantage of weak security if they encounter it. Most credential stuffing, phishing, and account compromises are opportunistic.
  • Financially motivated attackers targeting people with specific access — tax preparers, real estate agents, people who’ve recently had a windfall.
  • Known individuals — an ex-partner, a family member, a litigant in a dispute. Domestic adversaries are statistically common and require different controls than anonymous attackers.
  • Institutional adversaries — employers, law enforcement, intelligence agencies. Most people’s threat model doesn’t include this category meaningfully.
  • Targeted hackers — specifically motivated to compromise you. Rare. Security controls for this adversary class are much more intensive and most people don’t need them.

Naming your actual threat actors is the step most people skip. It turns out most people’s serious threats are a small number of categories, and the controls for each are relatively specific.

3. What are the realistic attack paths?

Given who you’ve identified as likely threat actors, how would they actually attack? An opportunistic attacker is trying to compromise your email via credential stuffing or phishing — not via a sophisticated zero-day. A known individual adversary might try to access your accounts using passwords they know from the relationship, or access a device they have physical access to.

Understanding the likely attack path focuses your controls. Defending against credential stuffing requires strong unique passwords and 2FA. Defending against a person with physical device access requires device encryption and a strong lock screen. These are different controls.

4. What would compromise actually look like, and how bad is it?

Not all data compromises are equivalent. Someone reading your email is different from someone draining your bank account is different from someone publishing your medical records is different from someone tracking your physical location. Map out what the actual harm is, because that determines how much friction is proportionate to prevent it.

5. What controls are proportionate?

Given specific threat actors and specific attack paths, what controls make sense? Apply more friction where the harm is greater and the likelihood is higher; don’t apply the controls needed for a state-level adversary to a low-risk personal account.

A Simple Personal Threat Model

For most people without elevated threat profiles:

  • Primary threats: opportunistic attackers via credential compromise; phishing; data broker aggregation of personal information
  • Secondary: known-individual access to devices or accounts
  • Controls worth implementing: strong unique passwords in a password manager; 2FA on all financial and primary email accounts; device encryption; data broker opt-outs
  • Controls probably not worth the cost: Tor for everyday browsing; air-gapped devices; advanced physical security for everyday data

This is a real threat model with real prioritization, and it leads to different choices than “do all of these 47 security things.”

When Your Threat Model Is Elevated

Journalists protecting sources, security researchers, abuse survivors, people in contentious legal situations, executives with high-profile positions, people who travel to high-risk environments — these situations call for elevated threat models and correspondingly more intensive controls.

If your situation is genuinely elevated, generic advice still doesn’t serve you well. The EFF’s Surveillance Self-Defense guide (ssd.eff.org) provides threat-model-specific guidance for common elevated situations and is worth working through.

Scroll to Top