An introduction to threat modeling
This isn’t an ‘ultimate guide’ -not by any stretch of the imagination. It is a work in progress and, as I see it, the concept of threat modeling underpins all we discuss here on The Prepared’s forums. I welcome any and all comments and constructive criticisms. Okay, here we go. Here’s my conversation starter about threat modeling.
An Introduction to Threat Modeling
Although it has its roots in IT security, threat modeling is, at its core, the foundation for the mindset that you and I call prepping.
The purpose of a threat model is to examine your preparedness by identifying assets, threats, defenses, and vulnerabilities. In short, the process answers the questions, “What am I preparing for?”, “What do I have?”, “How can I protect it? “, “What could go wrong?”, and “What am I missing, overlooking, or not seeing?”.
As we identify the various aspects of threat modeling -this way of thinking and prepping- use this opportunity to re-examine your planned scenario and responses. Take this opportunity to correct any potential issues, shortcomings, or vulnerabilities.
Assets are people, places, property, equipment, skills, and other resources you have access to or at your disposal. An asset might the med kit you have in your GO bag; it could be the pistol you keep at your side; an asset can be a person with a specialized set of skills (eg., medical training, combat experience -who can be a member of your team or can train you); an asset could also be place such as a bug-out location, a series of fallback positions; egress routes and transportation; or assets can be your significant stockpile of rations, water, weapons, ammunition, skills; or, items for trade and barter.
Threats are people, places, events, or conditions that have the very real potential to impact, disrupt, obstruct, impede, undermine, injure, maim, damage, or destroy assets and objectives. Below are some sample categories and their corresponding threats, which I’ve drawn from a few of my personal models. By specifically identifying threats, we can better bolster our defenses while help us to prepare smarter, not harder.
- Natural: earthquakes, tsunamis, tornadoes, fire, flooding, landslide, blizzard, stellar flare, etc.
- Biological: injury, illness, disease, outbreak, pandemic, abuse, rape, murder
- Environmental: polluted resources, water scarcity, breathable air
- Infrastructure: electricity, water, gas, cellular communications, gps
- Chemical: pollution from manufacturing, plant accident/failure
- Socio-Economic: financial collapse, civil unrest, theft
- Radiological: fallout, power plant accident/failure
- Political: discrimination, inequity, inequality, polarization, radicalized ideologies
- Wartime/Insurrection: biological, chemical, & nuclear weapons, munitions, artillery, unexploded ordinance, terrorism, dirty bombs
Thinking about threats can be especially easy if you have a low threshold for what you might consider a threat. It can also be downright daunting -almost to the point of paralysis- if you’re not careful. Threats can be found everywhere, if you look hard enough. The trick, as it were, is to abide by the sane prepper mantra and be sane and rational. Prioritizing is additional way to mitigate a runaway list of threats.
Probably the simplest way to keep yourself sane and from being overwhelmed by all these threats is to put them into one of two basic categories: low-risk or high-risk. Some of you may decide to go with risk levels that resemble something like our current Terror Threat Levels. How you prioritize is ultimately up to you, just do it. Doing so will force you to closely examine situational reality versus possibility and probability.
For example, those living on the west coast of the US (or along the ring of fire) are right to consider earthquakes, tsunami, or volcanic activity (along with the threats to life, safety, and infrastructure that come with those events) high risk threats. Although it’s not out of the realm of possibility, someone living in the middle of the US (for example) might not consider these high-risk threats. Instead, they’d likely list tornadoes.
By prioritizing threats you can prioritize your preparedness and, when that threat appears, you can prioritize your response(s).
What does a threat model look like?
A threat model can be as simple as simple as a Word document, as complex as spreadsheet, or as visual as an illustration. In creating an actual model, not only do you get it out of your head, but you can share this information with members of your household, trusted team, or community.
Below are a few examples of threat models to help familiarize you with the concept of threat modeling:
[See? Even Batman has a threat model. Classic IT security threat modeling. A sample of my consolidated threat modeling spreadsheet (a perpetual work-in-progress).]
That’s All I’ve Got
The time you invest in developing, understanding, and evaluating your threat model(s) is time you’re investing in your own preparedness and, ultimately, your success.