Modeling Job for You

Motherboard, a part of Vice magazine, has published a very good Guide to Not Getting Hacked.  It's also available as a PDF. One of my favorite sections draws from the EFF Surveillance Self-Defense page.  "Threat modeling" may sound like something a management consultant would explain to you with 19 PowerPoint slides for only $45,000.  But it really just consists of considering these five questions:

  1. What do I want to protect?
  2. Who do I want to protect it from?
  3. How bad are the consequences if I fail?
  4. How likely is it that I will need to protect it?
  5. How much trouble am I willing to go through to try to prevent potential consequences?

Ultimately the goal of information security is not to protect the information assets absolutely.  Protecting anything absolutely is not even theoretically possible.  (Once again, what is this site called?  And why?) What we're trying to do here is, make the information assets more trouble to attack successfully than they're worth.  If stealing a new sprocket design from the engineers at Spacely Sprockets is worth $4 million, then we have to make it cost an expected $4.5 million or more to get.  That way, even success is failure for the attacker. But if preserving that design is worth $4 million to us, we'd be idiots to spend $4.5 million defending it.  We could post it on Facebook and save ourselves $500,000. Threat modeling is really just taking a breath, refusing to panic, and applying all-too-UNcommon sense.

This article was updated on 2023-05-13 09:44:29


Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium.