Threat Modeling for Privacy: The 30-Minute Self-Assessment

Before installing a single privacy tool, every privacy-conscious person should do a threat model — a structured exercise that defines: who you’re defending against, what you’re defending, and what they’d need to do to compromise you.

Most “privacy advice” online skips this step. The result: people install Mullvad VPN to defend against threats Mullvad doesn’t address, while ignoring threats that actually affect them. Or they over-engineer (“I need Tor!”) for threats that a simple browser change would handle.

Here’s the practical 30-minute self-assessment.

TL;DR

A useful threat model answers four questions:

1. What am I protecting? (specific assets, not “my privacy”)
2. Who am I protecting it from? (specific adversaries)
3. What’s the likely consequence if I fail? (specific outcomes)
4. What’s a reasonable effort to defend? (proportional to consequence)

Most users skip this and apply a one-size-fits-all approach. That’s why their tools don’t fit their actual threats.

The four core questions

Question 1: What am I protecting?

Be specific. “My privacy” isn’t useful. List actual things you want to protect:

• My identity (real name, address, phone connections)
• My finances (account balances, transaction history, investment positions)
• My location (where I am, my movements)
• My health information (conditions, prescriptions, medical history)
• My relationships (who I talk to, when)
• My beliefs / opinions (politics, religion, lifestyle)
• My intimate content (photos, messages, sexual material)
• My work product (business plans, code, trade secrets)
• My communications content (what I say in messages)
• My communications metadata (who I talk to, when)
• My web browsing (what I read, watch, search)
• My physical security (where I live, work)

You don’t protect all of these equally. Some matter more than others to you.

Exercise: List the top 5 things from this list that matter most to you. Be honest about which ones you actually care about.

Question 2: Who am I protecting from?

Be specific about adversaries. Generic “the internet” isn’t useful.

Common adversaries (by who they target):

Adversary	What they want
Advertisers	Your browsing habits to target ads
Data brokers	Comprehensive personal profile to sell
Your ISP	Logs to monetize or comply with law
Social media platforms	Engagement data to optimize ads + power their algorithms
Hackers / cybercriminals	Credentials, financial info for theft
Employer / school	Activity on their network
Ex-partner / stalker	Personal info to find or harass you
Family member	Specific information they shouldn’t see
Your government	Compliance with their rules, possibly surveillance
Foreign government	Intelligence gathering
Court / civil litigation	Discovery / subpoena

These have radically different capabilities and motivations. A defense against advertisers (a content blocker + tracker resistance) is useless against a determined ex-stalker (who has direct access through different vectors).

Exercise: Pick the 1-3 adversaries most realistic for you. Most readers don’t need to worry about state-level surveillance; they should focus on the realistic threats.

Question 3: What’s the likely consequence if I fail?

This determines proportional response. Severe consequences justify expensive defenses.

Consequence severity:

Severity	Examples
Annoying	Targeted ads, spam, slightly less convenient browsing
Embarrassing	Personal photos seen by wrong people, awkward social situations
Financially harmful	Identity theft, credit damage, account compromise
Career-threatening	Employer sees activity they shouldn’t, professional reputation damage
Relationship-damaging	Family discovers something specific, partner finds something private
Physically dangerous	Stalker finds you, harassment escalates to violence
Legally consequential	Criminal charges, civil litigation, custody issues
Existentially threatening	State-level adversary targeting, journalism source compromise

For most people: the consequences are in the “Annoying” to “Financially harmful” range. Tools should match the threat. A YubiKey + password manager handles financial threats well; you don’t need Tor + Tails for “annoying.”

Question 4: What’s reasonable effort?

Defense in proportion to consequence.

For “annoying” consequences:
– Browser extension (ad blocker)
– Cookie management
– Privacy-respecting search engine

Effort: 5-10 minutes setup. No ongoing cost.

For “financially harmful”:
– Password manager
– Hardware 2FA (YubiKey)
– Separate email per service (email aliases)

Effort: 30-60 minutes setup. ~$100 for YubiKey. $20/year for password manager.

For “embarrassing”:
– Encrypted messaging (Signal)
– Private cloud storage for sensitive files
– Separate devices for sensitive contexts (work laptop vs personal)

Effort: 1-2 hours setup. ~$5-15/month for services.

For “career-threatening” or “relationship-damaging”:
– Stronger separation of identities (different emails, devices, browsers)
– Privacy-focused browser as daily driver
– Document threat scenarios explicitly

Effort: 2-4 hours setup. ~$10-30/month.

For “physically dangerous” (stalker, abuse):
– Specialized operational security
– Burner phones / numbers
– Address obfuscation services
– Specific software (Signal as default, Mullvad VPN)
– Professional advice (domestic violence advocacy organizations)

Effort: Substantial. May require lifestyle changes.

For “legally consequential”:
– Tor + Tails for specific activities
– End-to-end encrypted everything
– Separate hardware
– Legal counsel

Effort: Major. Professional guidance needed.

For “existentially threatening” (journalism, activism, dissidents):
– Full Tor / Tails setup
– Air-gapped systems
– Burner everything
– Professional security audit
– OpSec training

Effort: Major lifestyle commitment.

The 30-minute self-assessment

Time to do it:

Minutes 0-5: Identify your situation

Pick the category that best fits you:

• Category A: General privacy-conscious user (most readers) — care about ads, basic identity protection
• Category B: Professional whose work matters — career-sensitive activity, employer monitoring concerns
• Category C: Someone with specific personal sensitivity — domestic violence, abusive partner, family conflict
• Category D: Specific professional with elevated threat — journalist, activist, financial services
• Category E: General concern but not specific high-stakes — privacy purist by philosophy

Minutes 5-10: Identify your top 3 assets

From the list above, pick your top 3 priorities. Write them down.

Minutes 10-15: Identify your most likely adversaries

From the adversary list, pick 1-3 most relevant.

Minutes 15-25: Map consequences

For each adversary × asset pair, what’s the realistic consequence?

Example:
– Adversary: Advertisers
– Asset: Web browsing
– Consequence: Annoying targeted ads, vague profile in their database

vs:

• Adversary: Ex-stalker
• Asset: My location
• Consequence: Physical danger

These require dramatically different responses.

Minutes 25-30: Pick a starter privacy stack

Based on your top assets + adversaries + consequences:

Category A (general):
– Brave or Mullvad Browser
– Bitwarden + YubiKey
– Signal
– Privacy DNS (Cloudflare or Mullvad)

Total cost: ~$1/mo (Bitwarden Premium) + $100 one-time (YubiKey)

Category B (career-sensitive):
– Above + Mullvad VPN
– Email aliases (SimpleLogin or Hide My Email)
– Separation of work / personal accounts strictly

Total cost: ~$10-15/mo

Category C (personal sensitivity):
– Above + specialized operational security
– Burner phone if applicable
– Trusted advocates / professionals

Total cost: Variable; situation-dependent

Category D (professional with elevated threat):
– Above + Tor for specific activities
– Separate device for sensitive work
– Operational security training

Total cost: $20-50/mo + hardware investments

Category E (purist by philosophy):
– Whatever you want; no specific threat justifies it

What threat modeling reveals

When you do this honestly, common realizations:

“I was overprotecting against ads while underprotecting against account compromise.”

Most people install ad blockers but never use a password manager + 2FA. The latter is more important.

“I worry about ISPs but my biggest threat is data breaches.”

Companies you give your email to get breached regularly. Email aliases would help more than a VPN for this.

“I was using Signal with my real phone number, defeating the purpose.”

Signal protects content, but if your phone number is in Signal’s database AND your phone number is on your bills and public records, your identity is still linked.

“I have Tor Browser but I sign into Gmail in it.”

Defeats the purpose. Tor anonymizes the connection; Google identifies you anyway.

When threat modeling changes things

Doing this honestly often:

1. Reduces tool count. “I don’t need Mullvad if my threat is advertisers; Brave Shields handles it.”
2. Identifies gaps. “I have a great VPN but no password manager. The latter matters more.”
3. Justifies inconvenience. “Yes, the 2FA hardware key is annoying but the threat justifies it.”
4. Stops paranoia spirals. “I’m not a journalist; I don’t need Tails.”

Adversarial considerations

Be honest about how good your adversary really is:

• Advertisers have massive data + automated systems, but they don’t actively investigate individuals
• Hackers generally exploit weak passwords and phishing, not break encryption
• Most government surveillance is broad data collection, not targeted investigation
• A determined personal adversary (stalker, ex) may be motivated but technically unsophisticated
• A determined state-level adversary has resources to break almost anything; defense is operational, not technical

Match defense to actual capability, not theoretical capability.

The “good enough” question

Perfect privacy is impossible. The question isn’t “am I private” but “am I private enough for my threat model.”

For most users, defending against:
– Mass surveillance: VPN + DoH covers most concerns
– Advertiser tracking: Privacy browser + content blocker
– Account compromise: Password manager + hardware 2FA
– Stalker/abuser: Operational separation + specific support

These cover 95% of realistic threats. Everything beyond is for specific high-stakes situations.

Common threat modeling mistakes

Mistake 1: Listing all possible threats instead of likely ones.

Trying to defend against everything = defending against nothing well.

Mistake 2: Assuming you need state-level protection.

You probably don’t. The vast majority of readers don’t.

Mistake 3: Conflating different threats.

Privacy from advertisers ≠ privacy from determined adversary. Different defenses required.

Mistake 4: Doing this once and never updating.

Threats change. Your life changes. Re-do this annually or after major life events (job change, relationship change, etc.).

Mistake 5: Treating threat modeling as a barrier to action.

The goal is to act effectively, not to find reasons to do nothing.

A worked example

Person: Sarah, 35, marketing manager, normal life situation, no specific adversaries

Top 3 assets:
1. Her finances (don’t want fraud)
2. Her browsing habits (don’t want ad creepiness)
3. Her relationships (don’t want family seeing private messages)

Adversaries:
1. Advertisers (always-on tracking)
2. Hackers (potential account compromise)
3. No specific personal adversaries

Consequence severity:
1. Financial: would be financially harmful but recoverable
2. Browsing: annoying ads
3. Family: relationship-damaging if exposed

Starter privacy stack:
– Brave browser with Shields on (handles ads, basic tracking)
– Bitwarden + YubiKey (handles financial + account threats)
– Signal for personal communications (handles family threats with friends/partner)
– Privacy DNS (Cloudflare 1.1.1.1 with DoH)

Total cost: ~$1/mo + $100 one-time YubiKey

This is appropriate for her threat model. Mullvad VPN, Tor Browser, Mullvad Mail, etc. would be over-engineering.

Disclosure

We have no affiliate relationships with threat modeling services or organizations. Tools mentioned (Brave, Bitwarden, Signal, etc.) have varying affiliate programs we sometimes use. See our affiliate disclosure.

---

Last updated 2026 Q2.