Core Concepts of Threat Modeling
Threat modeling is a systematic process to identify and mitigate potential security and privacy concerns. This section introduces the foundational questions and the core definition of risk. Click on each element of the risk formula to learn more.
Shostack's Four Key Questions
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
Threat
Vulnerability
Consequence
Click an element above to see its definition and examples.
Scoping the Analysis: The "But For" Test
Properly scoping your analysis is crucial. You don't want to miss critical threats, nor do you want to be overwhelmed by irrelevant ones. The "But For" test is a simple heuristic to determine if a potential harm is within the scope of your product's responsibility. Test your knowledge below.
Actors, Proxies, and Agents
A threat involves an interaction between a threat actor and an at-risk individual. However, this interaction is often indirect. Understanding proxies (surrogates for the individual) and agents (instruments of the threat actor) is key to identifying non-obvious threats. Click each card to expand.
The Dual Maps: Interactions and Relationships
To systematically identify threats and controls, we create two distinct maps. Use the buttons below to switch between the analysis of threat vectors (Interactions) and the analysis of power dynamics (Relationships).
Information Categories and Risk Factors
Categorizing personal information helps determine risk based on whether the data creates Opportunity for harm, increases Motivation, or magnifies Magnitude of consequences. Below is a breakdown of key categories used in threat analysis.
| Category | Description & Examples |
|---|---|
| 1. EXTERNAL | |
| Identifying | Information that uniquely identifies a specific individual (name, username, unique identifier, government issued identification, picture, biometric data, etc.). |
| Ethnicity | Information that describes an individual's origins and lineage (race, national or ethnic origin, languages spoken, dialects, accents). |
| Sexual | Information that describes an individual's sexual life (gender identity, preferences, proclivities, fetishes, history). |
| Behavioral | Information that describes an individual's behavior or activity, on- or offline (browsing behavior, call logs, links clicked, demeanor, attitude). |
| Demographic | Information that describes an individual's characteristics shared with others (age ranges, physical traits, income brackets, geographic). |
| Medical and Health | Information that describes an individual's health, medical conditions, or health care (physical and mental health, drug test results, disabilities, family or individual health history, health records, blood type, DNA code, prescriptions). |
| Physical characteristics | Information that describes an individual's physical characteristics (height, weight, age, hair color, skin tone, tattoos, gender, piercings). |
| 2. INTERNAL | |
| Knowledge and belief | Information about what a person knows or believes (religious beliefs, philosophical beliefs, thoughts, what they know and don't know, what someone thinks). |
| Preference | Information about an individual's preferences or interests (opinions, intentions, preferences or interests). |
| Authenticating | Information used to authenticate an individual with something they know (passwords, PIN, mother's maiden name). |
| 3. TRACKING | |
| Contact | Information that provides a mechanism for contacting an individual (email address, physical address, telephone number). |
| Computer device | Information about a device that an individual uses for personal use, even part-time or with others (IP address, Mac address, browser fingerprint). |
| Location | Information about an individual's location (country, GPS coordinates, room number). |
| 4. SOCIAL | |
| Professional | Information about an individual's educational or professional career (job titles, salary, work history, school attendance, employee files, employment history, evaluations, references, interviews, certifications, disciplinary actions). |
| Criminal | Information about an individual's criminal activity (convictions, charges, pardons). |
| Public life | Information about an individual's public life (character, general reputation, social status, marital status, religion, political affiliations, interactions, communications metadata). |
| Family | Information about an individual's family and relationships (family structure, siblings, offspring, marriages, divorces, relationships). |
| Social network | Information about an individual's friends or social connections (friends, connections, acquaintances, associates, group membership). |
| Communication | Information communicated from or to an individual (telephone recordings, voicemail, email). |
| 5. FINANCIAL | |
| Account | Information that identifies an individual's financial account (credit card number, bank account). |
| Ownership | Information about things an individual has owned, rented, borrowed, possessed (cars, houses, apartments, personal possessions). |
| Transactional | Information about an individual's purchasing, spending, or income (purchases, sales, credit, income, loan records, transactions, taxes, purchases, and spending habits). |
| Credit | Information about an individual's reputation with regards to money (credit records, creditworthiness, credit standing, credit capacity). |
| 6. HISTORICAL | |
| History | Information about an individual's personal history (events that happened in a person's life, either to them or just around them that might have influenced them, such as WWII or 9/11). |