Questions for threat modelling

Do your own security risk assessment by asking yourself some questions. Listing all the equipment, actors, and laws involved, quickly wakes people up to not being as special as a “terrorist” OR quickly wakes people in activist contexts up that it may actually happen or be happening.

Every context and adversary is different of course. Two examples to show what it looks like.

Likelihood

  • Who would bug your house? Ex Spouse. I went extremely easy on him during the divorce, so he's not rich but he has a house and some money, yet he feels entitled (and jealous (there's nobody, but he doesn't believe me)).
  • How would they do it? He's got zilch internet skills (can just about read email and use whatsapp). He could perhaps buy a cheap RF mic.
  • Who else in your environment, or with your type of activities, has been the subject of targeted surveillance by a spouse? One. Pretty nasty story too.

Likelihood score: 5

Vulnerability

  • Could they break into your house to install a bug in your light switch? Can they use other ways of getting the information they are after? I have no house. But, am living in somewhere, and with some help from a friend, he could. But he doesn't have a key to that place and when we are away the door is always locked, so he'd have to break in (when we're away and at night the alarm system is on). So, good luck.

Vulnerability score: 2

Impact

  • Suppose they can hear what you say, or see what you do. What can happen? Not much. If the quality of the mic is good enough, he might hear me flipping pages in a book, cooking, or overhear conversations about gardens.

Impact score: 1

Result

Likelihood x Impact x Vulnerability = 5 x 2 x 1 = 10

Likelihood

  • Who would bug your house? A team of thugs hired by the corporation or members of the police/intelligence agency (having being told to do so by some bribed government official).
  • How would they do it? We are a threat to the status quo of our lands being plundered, and I assume there are (police and/or intelligence) infiltrators in our movement. Those have resources, can easily get a judge to sign off, and then bug my home and phone, and my PC. If things heat up even more, they could even deploy drones.
  • Who else in your environment, or with your type of activities, has been the subject of targeted surveillance? Many, and I am increasingly successful at raising hell on the $#@%^

Likelihood score: 10

Vulnerability

  • Could they break into your house to install a bug in your light switch? Can they use other ways of getting the information they are after? Yes, they'd have the resources and the skills. I have an alarm system, but some meetings are taking place at my house, and I can not keep an eye on everybody all the time. Besides, I wouldn't want to. Many movements have gone belly up due to internal mistrust and paranoia, and I do not want that to happen. Perhaps we can move meetings to different (beautiful outside) places, and announce just one hour up front where we meet, never choosing the same place again. Doesn't remove the threat of interception of our conversations by infiltrators.

Vulnerability score: 10

Impact

  • Suppose they can hear what you say, or see what you do. What can happen? They can use any collage of information to attack our movement and its members. Reputation and otherwise. They'd know up front what actions and protests we are planning, and better prepare to intimidate us and possibly even arrest (some of) us. This might happen anyway. Intimidation and arrest can kill our movement in the long run, which means my people would have to move. But where? And what about the environment? And next generations?

Impact score: 10

Result

Likelihood x Impact x Vulnerability = 10 x 10 x 10 = 1000