Threat Models, We've Heard of Them

I’d argue that the first, and possibly second question to ask in a discussion of security is “What is the threat model?”.

The problem is that the question is so frequently ignored. I’ve seen that even with security professionals. For instance, on Hacker News people like me may get slagged off for running, say, de-Googled Android on old phones, when their threat model is surveillance capitalism, the Apple walled garden or, perhaps, the environmental and human exploitative threats of throw-away electronics, rather than malware exploits.It’s not as if you’re any better of with a new phone, vendor malware/spyware, and at best limited security updates.

There are other common cases.

Since you can’t have prefect security — it’s a question of trades-off for risk reduction — you can only be (more-or-less) secure against something specific, so you need to ask that first question. Then you can decide on a security model to implement to counter such threats.

The important thing is to think about it. Don’t simply parrot ‘best practice’ — that typically isn’t, at least in context — or rely on things like ‘complicance’/certification. Think about security like an attacker, not an auditor, and particularly don’t assume you’re smarter than them, which probably implies ‘defence in depth’. I’ve been convinced the average scal on the street outside would run rings around some academic ‘security officer’ types, in particular (and maybe me, no matter how long I lived the wrong side of the Toxteth sign, like).

Bootnote:See The Register.

“We’ve heard of it” was a sarcastic idiom of The Inquirer†.