Quick and dirty threat modelling

Quick and dirty threat modelling is useful for finding the low-hanging fruit.

Set up a table:

Threat Likelihood Impact Vulnerability Grade
The first column contains a short description of the threatThe second column contains an indication of the likelihood of it occurringThe third column what impact it would have if it did happenThe fourth column holds an assessment of how vulnerable I/we/the organisation am/is to the threatThe fifth column contains an assessment (grade) of the time and energy you would need to protect yourself from the threat (for instance you can have no stars denote that there is no protection from that threat, hence it will cost nothing (except for the cost of the impact if it did happen).
Home buggingWe are a threat to the status quo of our lands being plundered, and I assume there are (police and/or intelligence) infiltrators in our movement. Those have resources, can easily get a judge to sign off, and then bug my home and phone, and my PC.They can use any collage of information to attack our movement and its members. Reputation and otherwise. They'd know up front what actions and protests we are planning, and better prepare to intimidate us and possibly even arrest (some of) us.They'd have the resources and the skills. I have an alarm system, but some meetings are taking place at my house, and I can not keep an eye on everybody all the time. Besides, I wouldn't want to. Many movements have gone belly up due to internal mistrust and paranoia, and I do not want that to happen. Intimidation and arrest can kill our movement in the long run, which means my people would have to move. But where? And what about the environment? And next generations?Score: 1000 Perhaps we can move meetings to different (beautiful outside) places, and announce just one hour up front where we meet, never choosing the same place again. Doesn't remove the threat of interception of our conversations by infiltrators.

Fill in the table, one row per threat: I recommend doing iterative brainstorming on “known and experienced threats” (a row per threat) as initial filling of the first column in the table, before thinking about the other columns.

Reorder the list according to your set of priorities: Choose your ordering strategy carefully. Several strategies are possible.

  • If this is a learning experience or you are a fan of “only time for putting out fires” cultures, no need for ordering.
  • In a low risk environment (no immediate death threats) “routine” strategies and tactics works well. You can use asset-based threat modelling, pick “low hanging fruit” and set up protection for assets with a big impact and/or high likelihood of occurrence first.
  • For an “on demand” strategy you can use software-based threat modelling going through all of the scenarios.
  • In a high risk environment or if any of the items in the list of possible impacts reads “ loss of life” or some life-altering experience or you have turned procrastination into an art, best choose an “anticipating strategy”, meaning do more research and use detailed attacker-based threat modelling.