Using bicycle theft as a case study, this post explains threat modelling by analyzing attackers through user personas: the opportunist with no tools, the thief with basic hand tools, and the professional with power tools. Each persona requires different countermeasures, and the key insight is that expensive locks cannot stop a determined professional with an angle grinder. The post then extends this reasoning to computing security, arguing that generic best-practice slogans like 'use a strong password' or 'back up your data' are often shallow and context-free. Building your own threat model — by systematically considering attacker types, their capabilities, and motivations — leads to more robust and realistic security decisions than following pat advice.
Table of contents
A threat model, by user personaComing up with better advice based on Nigel, Rupert and PercyThe virtue of the "bicycle shaped object"Lists of "best practices" vs having your own threat modelSome hints on coming up with your own threat modelContact/etcSee alsoSort: