A threat model is the process of identifying what you are protecting, from whom, how likely an attack is, what the consequences would be, and how much friction you can accept.
Without a threat model, security spending is guesswork. The five questions:
- What do I need to protect?
- Who might want to access it?
- How likely is that, realistically?
- What happens if they succeed?
- How much inconvenience am I willing to accept?
Build yours in 20 minutes: How to build your threat model.
What it means in practice
A threat model answers four questions: what are you protecting, from whom, how likely is a specific attack, and what are the consequences if it succeeds. Without this, security decisions are made by anxiety rather than risk. A journalist covering local politics and a diplomat in a hostile posting have different threat models — and therefore need different tools and behaviours, not the same checklist.
Related articles
Build your threat model in 20 minutes. — Security checklist before high-risk travel. — Digital privacy guide for NGO workers abroad. — Digital security for diplomats and expats.