Threat modeling the quick and dirty way

From Gender and Tech Resources

Dystopia.gif

Basic choreography

Steward Brand: Build a room

Set up a table

The first column contains a short description of the threat, the second the likelihood of it occurring, the third what impact it would have if it did happen, and the fourth an assessment (grade) of the time and energy you would need to protect yourself from the threat (for instance you can have no stars denote that there is no protection from that threat, hence it will cost nothing (except for the cost of the impact if it did happen).

Fill in the table

I recommend doing iterative brainstorming on "known and experienced threats" as initial filling of the first column in the table, before thinking about the other columns.

Reorder the list according to your set of priorities

Choose your ordering strategy carefully. Several strategies are possible.

  • If this is a learning experience or you are a fan of "only time for putting out fires" cultures, no need for ordering.
  • In a low risk environment (no immediate death threats) an "on demand" strategy works well. In this strategy you can use "low hanging fruit" and set up protection for items with a big impact and/or high likelihood of occurrence first.
  • In a high risk environment or if any of the items in the list of possible impacts reads " loss of life" or some life-altering experience or you have turned procrastination into an art, best choose an "anticipating strategy", meaning do more research and detailed scenario planning (food for thought) to find possible threats and solutions overlooked (food for gut).

Examples

Silicon Valley first world problems

Threat Likelihood Impact Protection
Having to drink medium Developer will drop dead within a week, deadline will not be made.

The human body needs water to survive. The maximum time an individual can go without water seems to be a week — an estimate that would certainly be shorter in difficult conditions, like broiling heat.

* Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms
Having to eat food high Developer will drop dead within three weeks, deadline will not be made.

A human can go for more than three weeks without food (Mahatma Gandhi survived 21 days of complete starvation)

* Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms
Needing sleep high Like breathing, sleep is essential to humans. It has even been said that one could survive three times longer without food than one could without sleep. One of the better known experiments on this subject, found that depriving rats entirely of sleep resulted in their death, or near-dying state, within 11-32 days (Everson et al. 1989). ** No long term alternatives known, but the deadline is still four weeks off. We tried adding coffee and coke to the Schmoylent in the previous development cycle.
Bathroom breaks high How many times do people go to the bathroom per day? Loads, and all those little breaks can add up to an hour or two per developer per day. ***** Implanting stomata. Costly. Management has suggested we need more surveillance equipment to study the problem of the breaks.

Journalist, observer or sousveillant in europe

A general counter strategy against police misconduct, abuse and brutality has been recording what happens during a protest. This of course, has gotten the police to target (citizen) journalists and observers overtly and covertly. And it is not just the police and government that are interested in us and our data.

The below threats, if happens, make for loss of trust and reputation and that translates to loss of effectiveness as independent observer.

Threat Likelihood Impact Protection
Metanoia & Paranoia low Metanoia (safety delusion) makes us sitting ducks and paranoia renders us ineffective. *
Physical attacks medium Physical damage/intimidation
Arrest: That might include direct approaches such as intimidation and asking for information on sources. medium Physical danger to those sources.
Some contacts are named in reports, and some wish to remain anonymous. If we’re not careful, we might unintentionally disclose contact details or their location http://thenextweb.com/insider/2012/12/03/vice-leaves-metadata-in-photo-of-john-mcafee-pinpointing-him-to-a-location-in-guatemala/
  • Phishing
  • Guess/hack password
  • Metadata
  • Mobile trail
high Intimidation/attack/imprisonment of sources. *
Correspondence with contacts includes all sorts of information that we do not want others to know about.
  • Phishing
  • Guess/hack password
medium Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources. **
Email, social media accounts, websites, communication tools, a pile of passwords. Our passwords may be a used to attack others in our "organisation", and access information we don’t directly hold.
  • Phishing emails can be sent from our email or social media accounts to others.
  • Passwords can be guessed.
high Followers on social media and people on mailinglists can get spammed. ****
All work-in-progress, files and documents which we couldn’t publish for all sorts of reasons (space, legality, protection of others).
  • Where are they? What forms do they have? Is there a security related documentation policy? Hey who is that man walking out the door with those files?
medium Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources.

Intimidation/attack/imprisonment of sources.

*
If we use computers in any way (including phones and even photocopiers) we can safely assume we are being recorded. Can lead to identification of sources through other data, our location, phone or email records.
  • Metadata
  • Computer forensics
high Intimidation/attack/imprisonment of sources. *
It may not be our activities they are interested in, but our reach. An example of this was the Syrian Electronic Army targeting E! Online http://ohnotheydidnt.livejournal.com/77479774.html medium Publication of hoax information on content management systems (the news website) and social media accounts ***
Legal attacks include direct approaches such as subpoenas demanding that we reveal a source, or court orders to pass over footage, and increasingly might also include indirect approaches, to companies and organisations holding your information. medium Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault. **

Related

References