An introduction to threat modeling

Matt Black - June 23, 2020

AdviceGearMetaScenariosSkills

Preface

This isn’t an ‘ultimate guide’ -not by any stretch of the imagination. It is a work in progress and, as I see it, the concept of threat modeling underpins all we discuss here on The Prepared’s forums. I welcome any and all comments and constructive criticisms. Okay, here we go. Here’s my conversation starter about threat modeling.

An Introduction to Threat Modeling

Although it has its roots in IT security, threat modeling is, at its core, the foundation for the mindset that you and I call prepping.

The purpose of a threat model is to examine your preparedness by identifying assets, threats, defenses, and vulnerabilities. In short, the process answers the questions, “What am I preparing for?”, “What do I have?”, “How can I protect it? “, “What could go wrong?”, and “What am I missing, overlooking, or not seeing?”.

As we identify the various aspects of threat modeling -this way of thinking and prepping- use this opportunity to re-examine your planned scenario and responses. Take this opportunity to correct any potential issues, shortcomings, or vulnerabilities.

Identifying Assets

Assets are people, places, property, equipment, skills, and other resources you have access to or at your disposal. An asset might the med kit you have in your GO bag; it could be the pistol you keep at your side; an asset can be a person with a specialized set of skills (eg., medical training, combat experience -who can be a member of your team or can train you); an asset could also be place such as a bug-out location, a series of fallback positions; egress routes and transportation; or assets can be your significant stockpile of rations, water, weapons, ammunition, skills; or, items for trade and barter.

Identifying Threats

Threats are people, places, events, or conditions that have the very real potential to impact, disrupt, obstruct, impede, undermine, injure, maim, damage, or destroy assets and objectives. Below are some sample categories and their corresponding threats, which I’ve drawn from a few of my personal models. By specifically identifying threats, we can better bolster our defenses while help us to prepare smarter, not harder.

• Natural: earthquakes, tsunamis, tornadoes, fire, flooding, landslide, blizzard, stellar flare, etc.
• Biological: injury, illness, disease, outbreak, pandemic, abuse, rape, murder
• Environmental: polluted resources, water scarcity, breathable air
• Infrastructure: electricity, water, gas, cellular communications, gps
• Chemical: pollution from manufacturing, plant accident/failure
• Socio-Economic: financial collapse, civil unrest, theft
• Radiological: fallout, power plant accident/failure
• Political: discrimination, inequity, inequality, polarization, radicalized ideologies
• Wartime/Insurrection: biological, chemical, & nuclear weapons, munitions, artillery, unexploded ordinance, terrorism, dirty bombs

Threats EVERYWHERE

Thinking about threats can be especially easy if you have a low threshold for what you might consider a threat. It can also be downright daunting -almost to the point of paralysis- if you’re not careful. Threats can be found everywhere, if you look hard enough. The trick, as it were, is to abide by the sane prepper mantra and be sane and rational. Prioritizing is additional way to mitigate a runaway list of threats.

Prioritizing Threats

Probably the simplest way to keep yourself sane and from being overwhelmed by all these threats is to put them into one of two basic categories: low-risk or high-risk. Some of you may decide to go with risk levels that resemble something like our current Terror Threat Levels. How you prioritize is ultimately up to you, just do it. Doing so will force you to closely examine situational reality versus possibility and probability.

For example, those living on the west coast of the US (or along the ring of fire) are right to consider earthquakes, tsunami, or volcanic activity (along with the threats to life, safety, and infrastructure that come with those events) high risk threats. Although it’s not out of the realm of possibility, someone living in the middle of the US (for example) might not consider these high-risk threats. Instead, they’d likely list tornadoes.

By prioritizing threats you can prioritize your preparedness and, when that threat appears, you can prioritize your response(s).

What does a threat model look like?

A threat model can be as simple as simple as a Word document, as complex as spreadsheet, or as visual as an illustration. In creating an actual model, not only do you get it out of your head, but you can share this information with members of your household, trusted team, or community.

Below are a few examples of threat models to help familiarize you with the concept of threat modeling:

[See? Even Batman has a threat model. Classic IT security threat modeling. A sample of my consolidated threat modeling spreadsheet (a perpetual work-in-progress).]

That’s All I’ve Got

The time you invest in developing, understanding, and evaluating your threat model(s) is time you’re investing in your own preparedness and, ultimately, your success.

19  

Re-hi, all. I just wanted to drop a follow-up:

Here’s a little something I’ve been kicking around lately and I figured I’d share it for some feedback and/or as inspiration (is it inspiring?!). Ha.

This is a simplified visualization that helps me examine my [team’s] Threat Response. And before I proceed, this isn’t something we’re looking at in a moment of crisis. This is a tool to help us better understand our responses well in advance of a “vortex of awful”-type event. [Hat tip to Jon!]

Right out of the gate, I’m going to acknowledge that threats are, in fact, multi-dimensional. For practical purposes, however, I’ve simplified threats into two major aspects that will impact my [team’s] decisions: proximity and magnitude.

On the left, I modelled proximity like the way we’d explain personal space. At the center is the street that my family lives on. Rippling outward, we’re illustrating the distance of that threat at the town, region, state, and national levels.

On the right, I’ve assigned colors and labels to better see the magnitude (intensity, ‘temperature’, etc) of the threat. Starting at the center, the bullseye, I placed the greatest threat: destruction. Moving outward, each ring of magnitude becomes less intense.

In the middle, I’ve made response notes at the intersection of each set of rings. If the threat is in close proximity or potentially destructive, the course of action is ‘FLEE’. If the threat is at a national level -or- is ‘unsettled’ in nature, I will simply monitor (MON) it. So, this visualization isn’t about proximity and magnitude; it’s about proximity or magnitude.

Trying to model proximity and magnitude would expend too much of my time (although I seem to have a lot nowadays) and, frankly, it’s not worth it because one can’t account for every single scenario. And adding duration of event as an additional aspect (which would move this model into 4-D) would just cause my brain to overload.

 

In the interests of continuing/participating in “the conversation” there are multiple [dimensions?] to consider, especially with regards to prioritizing threats:

1. Probability – how likely are you to encounter a given threat?
2. Severity – If you encounter a threat, how big of an impact will it have.  In other words, even if you encounter this threat, is it survivable without mitigation?
3. Mitigation Costs – how much does it cost to mitigate a threat if it is less survivable?
4. Opportunity Costs – what do you “give up” by preparing for a given threat (i.e. bunkering in vs bugging out – do you invest in a great off-road car or a great backyard bunker if you can’t afford both?)

There are probably other factors to consider, this is just my initial reactions.

 

@Rich,

Yeah, there are definitely A LOT of dimensions to consider, which is why this Intro to is a just conversation starter. It is by no means meant to be complete and all-encompassing.

One could make the argument that mitigation costs and opportunity costs can be offset by having a team (or being part of a team). More so, if you take the community-based approach. Each member of the community contributes toward a shared goal. If they’re on the same page, cooperation enables them the most flexibility in their response. Alice has a bunker. Bob has an off-roader or a boat. Carol has an impressive food stockpile. Dan’s a vet and has combat experiences, so, he’s got security covered. When the SHTF theyl can coordinate a response (give sufficient room in Alice’s Bunker, Bob’s boat, or BOing.

This, of course, takes a tremendous amount of trust between each of the members and it assumes the overlapping threat models.

The threat models, as I’ve introduced them, are more geared toward individuals, particularly those who want to better develop their responsiveness to various threats, situations, or actors.

 

@Matt and @Rich

I didn’t know my struggles even had a name…Threat Modeling!  This really will help me clarify so many of my decision quandaries.  I.e. Opportunity Costs – Should I prepare to bunker in or bug out?  Do I invest in a small RV or prepare to stay home and defend it?  I can’t afford to do BOTH effectively. 

I’m in a working class urban area and the growing number of local job losses due to the Pandemic could create fearful and desperate neighbors. All that on top of the coming flu season, an emotionally charged election and possible spread of local Protests/riots!

Thanks for posting this!

 

There are two popular business models that can be adapted for personal use. I’ve been going back and forth about which model makes the most sense for our family. Similar to the information Rich added is the SWOT model – Strengths, Weaknesses, Opportunities and Threats. Search SWOT Analysis on your favorite search engine and there should be several diagram examples.

Another one is commonly used in government and large businesses and called Enterprise Risk Management or ISO-31000. Again, search either of those terms and you can see the framework. This one would really have to be tailored down for a family plan, but the foundation of it is good.

 

Oh, man! SWOT. Now you’ve thrown me into the wayback machine. 😉

Don’t forget, there’s always the Art of War -which, when applied to the context of prepping, can also be very insightful.

 

This is a brilliant idea – at least as someone who does a little of this for $DAYJOB!

I discovered real shortcomings in my readiness w/ SARS-COV-2, because my implicit mental model was “flee the general disaster zone”. Obviously not so suited to “hunker down”!

And thinking about impact vs. likelihood can help focus on simple, versatile stuff.

Thanks!

 

Re-hi, all. I just wanted to drop a follow-up:

Here’s a little something I’ve been kicking around lately and I figured I’d share it for some feedback and/or as inspiration (is it inspiring?!). Ha.

This is a simplified visualization that helps me examine my [team’s] Threat Response. And before I proceed, this isn’t something we’re looking at in a moment of crisis. This is a tool to help us better understand our responses well in advance of a “vortex of awful”-type event. [Hat tip to Jon!]

Right out of the gate, I’m going to acknowledge that threats are, in fact, multi-dimensional. For practical purposes, however, I’ve simplified threats into two major aspects that will impact my [team’s] decisions: proximity and magnitude.

On the left, I modelled proximity like the way we’d explain personal space. At the center is the street that my family lives on. Rippling outward, we’re illustrating the distance of that threat at the town, region, state, and national levels.

On the right, I’ve assigned colors and labels to better see the magnitude (intensity, ‘temperature’, etc) of the threat. Starting at the center, the bullseye, I placed the greatest threat: destruction. Moving outward, each ring of magnitude becomes less intense.

In the middle, I’ve made response notes at the intersection of each set of rings. If the threat is in close proximity or potentially destructive, the course of action is ‘FLEE’. If the threat is at a national level -or- is ‘unsettled’ in nature, I will simply monitor (MON) it. So, this visualization isn’t about proximity and magnitude; it’s about proximity or magnitude.

Trying to model proximity and magnitude would expend too much of my time (although I seem to have a lot nowadays) and, frankly, it’s not worth it because one can’t account for every single scenario. And adding duration of event as an additional aspect (which would move this model into 4-D) would just cause my brain to overload.

 

 So what is the difference between Flee, GTFO and BO? 

 

MON = monitor the situation.
BI = bug-in/hunker down/hold the fort up to 6 mos. (current)
BO = bug-out up to 3 mos.
GTFO = bug-out up to 6 mos.

FLEE = [Fucking Leave. Exits Everywhere]

FLEE v INCH
As I’ve assessed and reviewed my own threat models, it occurs to me that there may be scenarios in which my family and I may need to seek refuge in another country. To flee. One could make the argument that this is synonymous with INCH (I’m Never Coming Home), but (to my mind at least), the concept of FLEE(ing) incorporates an element of administrative preparedness. That is, having the right information and documentation in hand in order to meet this goal.

At present, the ‘FLEE’ response allows for an extended BO period lasting more than 6 mos. (as in, it’s not safe to be home, so we’ll stay bugged-out) or any event which triggers the FLEE response. Such events themselves could vary in degrees – whether legislative/legal, lawless roving bands of thugs, targeted murder, or genocide.

Better to be smart and live than be outgunned and die.

Dark stuff, I know, but a possibility nonetheless. So, probability be damned; I simply won’t be caught off guard and that’s why this is included in my threat model.

The idea is to flee when the opportunity allows for it, by any means necessary, whether legally (provided enough prep time) or illegally (having zero time).

 

Thanks for the explanation.  I have some of these concepts (not with nifty acronyms for FLEE 🙂 ) in my scenario/responses musings in my own spreadsheet, but have certainly not thought them through as well as you have.  This framework will definitly help to clarify it. 

 

I like your analysis here, especially the FLEE acronym, which is a scary unknown that’s essentially been a “Here be Dragons!” zone on my map for awhile. 

Situationally, it seems like it wouldn’t take much for the lines to blur between preppers in FLEE-mode and the rest of the refugees on the roads.  It’s especially troubling because, like the situations you listed above, the reasons for FLEEing are largely necessitated by a shifting of the political sands and rule of law.

Obviously, being as far away from this “vortex of doom” before the sucking starts is ideal, but timing is a bitch.

Could you expand on what additional preps, beyond the extended BO, are essential to having a chance of successfully navigating a FLEE situation?

 

For a quick shortcut, look up your local emergency management agency and see what they classify as the biggest risks to your area. This is usually included in the All Hazards Risk Assesment section of the emergency plan.

 

Brilliant idea! Doing so would definitely help tailor models!

 

I’m curious, if you’re willing to share, what thresholds do you have for various actions/responses.  I find your proximity/magnitude diagram useful (though its hard to read some of the text).  I think of this more like a descsion tree, a branching if-then-else logic, usually with binary logic.

My default stance is akin to you’re “monitor” mode (or possibly a less intense version).  Take in information through first hand observation, second hand accounts, and trusted sources.  Update my plans as needed/as the situation merits.  This can be as simple keeping the pantry full and adjusting my schedule for when I shop to avoid crowds or even how “relaxed” i am about socailly-distant interactions (seeing friends in a park, having trusted friends over in the back yard, etc).

A step up would be active/enhanced information gathering.  When “background activity” starts to make my spidey-sense tingle my neruotic tendencies aim to collect more information and organize better.  This might be things like re-packing/optimizing bug out bags, researching/ordering new supplies/equipment or learning a new skill.  This response is usually the result of major news developments or a perponderance of activity in one of my social media spheres (this site, included).  

To be honest, this is about as far as I’ve ever gotten.  The only times I’ve ever gotten to a “bunker in” scenario involve temporary external events like bad weather when common sense says its a good time to stay indoors.  The longest was maybe a 2-4 day snow storm.  Beyond this point I have more questions than answers:

What would trigger you to bunker in, bug out, etc? I can imagine a few senarios with hypothetical criteria:

• Threats of violence:
  • Bunker In:
    How close/far away would a violent event have to be for you to “bunker in?”  In the same city as you?  Within a mile of your residence? a few blocks?  I live in a medium-small city that is part of a major metro area, so a major civil disturbance can take place 7 miles away, but i’ve got a river between me and that and wouldn’t change my behavior aside from checking in with friends.  I feel like a major event would have to occur within 2 miles of my residence before I didn’t feel safe enough to leave the house/area.
  • Bug out: Leave deliberately, with intent to return soon
    If a violent event (or an event with the possibility of mass violence) occured within a 2 mile radius of where i live I would consider the magntude of the event.  If it was that close it would need to involve hundreds of actors to be large enough and near enough to leave.  Likewise if it was larger but further away i might scale that, so if it was thousands of people but like 3-5 miles away the poximity-magnitude might flip my “leave” switch.  If it was smaller but closer, 50-100 people at half a mile, 20-50 people at a quarter of a mile.  Less than 20 people and I’d probably just stay inside unless I was being actively targeted (I assume we still have an effective police force if the scale is this size or smaller)
  • ‘GTFO’ – leave quickly, possibly for a few days/weeks
    In terms of violence, I feel like this is just a scaled up version of the bug-out criteria, maybe with additonal factors.  Lets say there is credible fear that law enforcement is no longer effective, or I’m being specifically targeted I might pack up in a hurry and worry about picking up the pieces later.
  • ‘Flee’ – leave, and don’t look back
    I don’t have a good model for this, frankly.  I feel like I would need to be in eminent fear for my life for this to occur, with credible evidence that there is not effective law enforcement and that the event was not a ‘flash in the pan’ but a prolonged, systemic event/process.
• Natural Disasters:
  • Bunker in:
    This would be my default for most distasters.  I get the occasional snow storm/hurricane/flash flood concern but short of Noah’s-Ark scale flooding or a tornado landing on my roof, I’ll be fine.
  • Bug out: Leave deliberately, with intent to return soon
    This would have to be a long-term power outage type event, I’d think.  Or maybe a breakdown in sanitation.  The criteria is that its a localized/regional issue with areas that are unaffected within an hours drive.  Basically spending a few nights in a hotel because my neighborhood is a disaster but my region is largely OK.  I don’t need to worry about wild fires, earth quakes, or massive flooding.
  • ‘GTFO’ – leave quickly, possibly for a few days/weeks
    If I lived in a tidal area that was prone to hurricanes or a drought area with wildfires I could imagine this, but I don’t so I’m at a loss.  Any natural event that would cause wide spread devistation to this area would have to be catacluismic, like the yellowstone caldera going up and causing a mini-ice age.  Perhaps this is a limitation of my imagination, though.
  • ‘Flee’
    Oddly enough, I can imagine this, but it would be a long term, obvious migration. Basially, moving north if/when global warming gets real bad.  Thats probably a couple decades or more away though.
• Other scenarios?
  • I feel like most “personal disasters” would let you make use of local socail networks to aide in recovery, so they don’t map to this model well
  • There are extreme, borderline existensial scenarios but these tend to be so massive I doubt there is much escape.  I can’t afford a refurbished missle silo, or a private New Zealand estate.

Is this relevant to this thread? Any thoughts/differences of opinions, etc?

 

Sorry this reply is so long coming.  I just found this site.

Your comments really resonate with me.  The critical decision-making in times of crisis are borne by me, with my family’s wellbeing and/or survival on the line.  I have a fairly established rural bug-out location not far from my main suburban residence. What threat, intensity and proximity, will trigger a BO decision?  You don’t want to overreact, but a delayed decision to bugout means the roads are congested, either on foot or auto, with like minded individuals, many of whom may be desperate.  I saw this congestion first hand during a hurricane evac.  Nine hours and 125 miles traveled with empty gas stations along the way.

I am in Texas, where 4MM people suddenly lost power in the coldest weather in 130 years.  My aunt recorded 19F inside her home at one point.  Obviously, we are not walking 40+ miles in that weather, but we did lose power and it was uncertain when it would return.

I’ve focused on keeping the primary residence stocked for up to 2 weeks of interruption and, depending on the scenario, potential to thrive and even help neighbors.  This recent weather event has re-engaged me in this mindset, and your comment has challenged my pre-conceived notions of what the BO decision and execution looks like.  

Cheers!

 

Do you have a hard set rule of ‘if this happens, we will head to our but out location’? How do you make that decision?

 

I don’t have a set of decision points.  I need to.  Probably use some sort of decision tree that’s personal to my circumstances.

 

Thank you so much for taking the time to write this very extensive forum post Matt! This is a very easy to understand explanation of threat modeling and really helped me to feel like I can properly and sanely look at my threats.
I have always seen prepping as daunting and a lot to take in. I feel like threat modeling will help narrow your focus and helps it to not feel so overwhelming.
I like how you mentioned that you need to assess your assets. I feel that many of our assets will blend and be interchangeable between different threats. For example, that tarp can be used as a water catchment system in case of a drought, or a shelter if you need to bug out. Try and look at your preps and see how many uses you can get out of each item. Doing this along with threat modeling will help you feel more prepared than you used to.

 

Matt, just saw this. Only read thread once so might have missed if my point here already addressed.

Consider:  * Rapidly changing circumstances * . You and partner are home in condo. Many neighbors, others, running out into the road and it’s obvious they’re experiencing respiratory failure.  You have no idea what’s causing this – smoke, fire, poison gas, terrorist activity ? You and partner grab jackets and BOBs for dash to car ~ 100 m away.  All of a sudden, a firetruck or helo public address system says to go to corner and then proceed to Emergency Management van with flashing strobe lights … Next: 

…..

Only because cyber stylus is next to cyber parchment; Threat modeling traced to IT ? In modern times, it’s traced to Ed’s coffee shop.  The place later acquired the name “Lloyd’s of London”.