6

An introduction to threat modeling

Preface

This isn’t an ‘ultimate guide’ -not by any stretch of the imagination. It is a work in progress and, as I see it, the concept of threat modeling underpins all we discuss here on The Prepared’s forums. I welcome any and all comments and constructive criticisms. Okay, here we go. Here’s my conversation starter about threat modeling.

An Introduction to Threat Modeling

Although it has its roots in IT security, threat modeling is, at its core, the foundation for the mindset that you and I call prepping.

The purpose of a threat model is to examine your preparedness by identifying assets, threats, defenses, and vulnerabilities. In short, the process answers the questions, “What am I preparing for?”, “What do I have?”, “How can I protect it? “, “What could go wrong?”, and “What am I missing, overlooking, or not seeing?”.

As we identify the various aspects of threat modeling -this way of thinking and prepping- use this opportunity to re-examine your planned scenario and responses. Take this opportunity to correct any potential issues, shortcomings, or vulnerabilities.

Identifying Assets

Assets are people, places, property, equipment, skills, and other resources you have access to or at your disposal. An asset might the med kit you have in your GO bag; it could be the pistol you keep at your side; an asset can be a person with a specialized set of skills (eg., medical training, combat experience -who can be a member of your team or can train you); an asset could also be place such as a bug-out location, a series of fallback positions; egress routes and transportation; or assets can be your significant stockpile of rations, water, weapons, ammunition, skills; or, items for trade and barter.

Identifying Threats

Threats are people, places, events, or conditions that have the very real potential to impact, disrupt, obstruct, impede, undermine, injure, maim, damage, or destroy assets and objectives. Below are some sample categories and their corresponding threats, which I’ve drawn from a few of my personal models. By specifically identifying threats, we can better bolster our defenses while help us to prepare smarter, not harder.

  • Natural: earthquakes, tsunamis, tornadoes, fire, flooding, landslide, blizzard, stellar flare, etc.
  • Biological: injury, illness, disease, outbreak, pandemic, abuse, rape, murder
  • Environmental: polluted resources, water scarcity, breathable air
  • Infrastructure: electricity, water, gas, cellular communications, gps
  • Chemical: pollution from manufacturing, plant accident/failure
  • Socio-Economic: financial collapse, civil unrest, theft
  • Radiological: fallout, power plant accident/failure
  • Political: discrimination, inequity, inequality, polarization, radicalized ideologies
  • Wartime/Insurrection: biological, chemical, & nuclear weapons, munitions, artillery, unexploded ordinance, terrorism, dirty bombs

Threats EVERYWHERE

Thinking about threats can be especially easy if you have a low threshold for what you might consider a threat. It can also be downright daunting -almost to the point of paralysis- if you’re not careful. Threats can be found everywhere, if you look hard enough. The trick, as it were, is to abide by the sane prepper mantra and be sane and rational. Prioritizing is additional way to mitigate a runaway list of threats.

Prioritizing Threats

Probably the simplest way to keep yourself sane and from being overwhelmed by all these threats is to put them into one of two basic categories: low-risk or high-risk. Some of you may decide to go with risk levels that resemble something like our current Terror Threat Levels. How you prioritize is ultimately up to you, just do it. Doing so will force you to closely examine situational reality versus possibility and probability.

For example, those living on the west coast of the US (or along the ring of fire) are right to consider earthquakes, tsunami, or volcanic activity (along with the threats to life, safety, and infrastructure that come with those events) high risk threats. Although it’s not out of the realm of possibility, someone living in the middle of the US (for example) might not consider these high-risk threats. Instead, they’d likely list tornadoes.

By prioritizing threats you can prioritize your preparedness and, when that threat appears, you can prioritize your response(s).

What does a threat model look like?

A threat model can be as simple as simple as a Word document, as complex as spreadsheet, or as visual as an illustration. In creating an actual model, not only do you get it out of your head, but you can share this information with members of your household, trusted team, or community.

Below are a few examples of threat models to help familiarize you with the concept of threat modeling:

batman-threat-model
threat-model

TMODEL

[See? Even Batman has a threat model. Classic IT security threat modeling. A sample of my consolidated threat modeling spreadsheet (a perpetual work-in-progress).]

That’s All I’ve Got

The time you invest in developing, understanding, and evaluating your threat model(s) is time you’re investing in your own preparedness and, ultimately, your success.

5

  • Comments (5)

    • 5

      In the interests of continuing/participating in “the conversation” there are multiple [dimensions?] to consider, especially with regards to prioritizing threats:

      1. Probability – how likely are you to encounter a given threat?
      2. Severity – If you encounter a threat, how big of an impact will it have.  In other words, even if you encounter this threat, is it survivable without mitigation?
      3. Mitigation Costs – how much does it cost to mitigate a threat if it is less survivable?
      4. Opportunity Costs – what do you “give up” by preparing for a given threat (i.e. bunkering in vs bugging out – do you invest in a great off-road car or a great backyard bunker if you can’t afford both?)

      There are probably other factors to consider, this is just my initial reactions.

      • 3

        @Rich,

        Yeah, there are definitely A LOT of dimensions to consider, which is why this Intro to is a just conversation starter. It is by no means meant to be complete and all-encompassing.

        One could make the argument that mitigation costs and opportunity costs can be offset by having a team (or being part of a team). More so, if you take the community-based approach. Each member of the community contributes toward a shared goal. If they’re on the same page, cooperation enables them the most flexibility in their response. Alice has a bunker. Bob has an off-roader or a boat. Carol has an impressive food stockpile. Dan’s a vet and has combat experiences, so, he’s got security covered. When the SHTF theyl can coordinate a response (give sufficient room in Alice’s Bunker, Bob’s boat, or BOing.

        This, of course, takes a tremendous amount of trust between each of the members and it assumes the overlapping threat models.

        The threat models, as I’ve introduced them, are more geared toward individuals, particularly those who want to better develop their responsiveness to various threats, situations, or actors.

    • 4

      There are two popular business models that can be adapted for personal use. I’ve been going back and forth about which model makes the most sense for our family. Similar to the information Rich added is the SWOT model – Strengths, Weaknesses, Opportunities and Threats. Search SWOT Analysis on your favorite search engine and there should be several diagram examples.

      Another one is commonly used in government and large businesses and called Enterprise Risk Management or ISO-31000. Again, search either of those terms and you can see the framework. This one would really have to be tailored down for a family plan, but the foundation of it is good.

      • 4

        Oh, man! SWOT. Now you’ve thrown me into the wayback machine. 😉

        Don’t forget, there’s always the Art of War -which, when applied to the context of prepping, can also be very insightful.

    • 2

      This is a brilliant idea – at least as someone who does a little of this for $DAYJOB!

      I discovered real shortcomings in my readiness w/ SARS-COV-2, because my implicit mental model was “flee the general disaster zone”. Obviously not so suited to “hunker down”!

      And thinking about impact vs. likelihood can help focus on simple, versatile stuff.

      Thanks!