A threat model is the foundation of every security decision. Without one, you are guessing — spending resources on threats that may not apply while ignoring the ones that will actually compromise you.
This worksheet provides a structured, fill-in-the-blank framework for building a personal or organizational threat model. For a walkthrough of the threat modeling process, see our guide to building a threat model. This worksheet is designed to be printed, filled in with a pen, and revisited quarterly.
How to use this document: Work through each section sequentially. Be honest about your assets, adversaries, and current protections. The gap analysis at the end will tell you exactly where to focus your efforts. An example entry is provided in each section to demonstrate the expected level of detail.
Section 1: Profile Definition
Before modeling threats, define who you are modeling for.
Subject: _______________________________________________ (Individual name, team name, or organization)
Date: _______________________________________________
Review cycle: ☐ Monthly ☐ Quarterly ☐ Semi-annually ☐ Annually
Profile type:
- ☐ Individual (personal privacy)
- ☐ Individual (professional / high-risk role)
- ☐ Small team (startup, activist group, newsroom)
- ☐ Organization (enterprise, NGO, government agency)
Jurisdiction(s): _______________________________________________ (Where you live, operate, or store data — affects legal threat landscape)
Industry / Context: _______________________________________________ (Journalism, finance, healthcare, activism, general consumer, etc.)
Section 2: Asset Inventory
List everything worth protecting. An asset is anything whose compromise would cause harm — financial, reputational, physical, or operational.
Digital Assets
| # | Asset | Description | Location | Sensitivity | Impact if Compromised |
|---|---|---|---|---|---|
| Example | Email archive | 10 years of personal and business email | Gmail (Google servers, USA) | High | Identity theft, business exposure, blackmail material |
| 1 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 2 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 3 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 4 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 5 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 6 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 7 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 8 | ☐ Low ☐ Med ☐ High ☐ Critical |
Common digital assets to consider:
- Email accounts (personal, business)
- Cloud storage (Google Drive, Dropbox, iCloud)
- Password manager vault
- Cryptocurrency wallets and seed phrases
- Source code repositories
- Customer/client databases
- Financial records and tax documents
- Medical records
- Private communications (messaging history)
- Social media accounts
- AI chat histories and prompts
- Professional credentials and certifications
Physical Assets
| # | Asset | Location | Sensitivity | Impact if Compromised |
|---|---|---|---|---|
| Example | Primary laptop (MacBook Pro) | Home office + travel | Critical | Contains SSH keys, browser sessions, password manager |
| 1 | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 2 | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 3 | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 4 | ☐ Low ☐ Med ☐ High ☐ Critical |
Identity and Reputation Assets
| # | Asset | Description | Impact if Compromised |
|---|---|---|---|
| Example | Professional reputation | Public-facing identity in industry | Career damage, loss of trust, business impact |
| 1 | |||
| 2 | |||
| 3 |
Section 3: Adversary Identification
Identify who might want to compromise your assets. Be specific about capability and motivation.
Adversary Matrix
| # | Adversary | Motivation | Capability Level | Resources | Targeting | Likelihood |
|---|---|---|---|---|---|---|
| Example | Data broker industry | Monetize personal data | Medium | Automated scraping, purchase from providers | Bulk (untargeted) | High (ongoing) |
| 1 | ☐ Low ☐ Med ☐ High ☐ Nation-state | ☐ Targeted ☐ Bulk | ☐ Low ☐ Med ☐ High | |||
| 2 | ☐ Low ☐ Med ☐ High ☐ Nation-state | ☐ Targeted ☐ Bulk | ☐ Low ☐ Med ☐ High | |||
| 3 | ☐ Low ☐ Med ☐ High ☐ Nation-state | ☐ Targeted ☐ Bulk | ☐ Low ☐ Med ☐ High | |||
| 4 | ☐ Low ☐ Med ☐ High ☐ Nation-state | ☐ Targeted ☐ Bulk | ☐ Low ☐ Med ☐ High | |||
| 5 | ☐ Low ☐ Med ☐ High ☐ Nation-state | ☐ Targeted ☐ Bulk | ☐ Low ☐ Med ☐ High |
Common Adversary Reference
Use this table to identify which adversaries apply to your profile.
| Adversary Type | Motivation | Typical Capability | Relevant For |
|---|---|---|---|
| Opportunistic criminal | Financial gain | Low-Medium | Everyone |
| Organized cybercrime | Financial gain, ransomware | Medium-High | Businesses, high-net-worth individuals |
| Data brokers | Monetization | Medium (automated) | Everyone |
| Corporate competitor | Competitive intelligence | Medium | Businesses, startups |
| Disgruntled insider | Revenge, financial | Medium (elevated access) | Organizations |
| Abusive partner / stalker | Control, harassment | Low-Medium (but persistent) | Individuals |
| Hacktivist group | Ideological | Medium | Organizations with controversial operations |
| Journalist / researcher | Public interest | Low-Medium | Public figures, organizations |
| Law enforcement (domestic) | Criminal investigation | High (legal compulsion) | Context-dependent |
| Foreign intelligence service | Espionage, surveillance | Nation-state | Government, defense, critical infrastructure, journalists, activists |
| AI training pipeline | Model improvement | Automated (bulk) | All AI users — see how to protect data from AI training |
Section 4: Attack Surface Mapping
For each asset, identify the ways an adversary could compromise it.
Digital Attack Surface
| # | Asset (from Section 2) | Attack Vector | Adversary (from Section 3) | Complexity | Impact |
|---|---|---|---|---|---|
| Example | Email archive | Credential phishing → Gmail login | Organized crime | Low (social engineering) | Critical |
| Example | Email archive | Google compelled disclosure (subpoena/CLOUD Act) | Law enforcement | Low (legal process) | High |
| 1 | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 2 | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 3 | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 4 | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 5 | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 6 | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 7 | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High ☐ Critical | |||
| 8 | ☐ Low ☐ Med ☐ High | ☐ Low ☐ Med ☐ High ☐ Critical |
Common Attack Vectors Reference
| Category | Attack Vector | Description |
|---|---|---|
| Credential | Phishing | Fake login pages, spear-phishing emails |
| Credential | Credential stuffing | Reusing leaked passwords from other breaches |
| Credential | SIM swapping | Porting phone number to intercept 2FA |
| Network | Man-in-the-middle | Intercepting unencrypted traffic (public Wi-Fi) |
| Network | DNS hijacking | Redirecting traffic via DNS manipulation |
| Endpoint | Malware / spyware | Compromising device via malicious software |
| Endpoint | Physical access | Theft or covert access to unlocked device |
| Social | Social engineering | Manipulating support staff, colleagues, or family |
| Social | Impersonation | Pretending to be the target to access accounts |
| Supply chain | Compromised dependency | Malicious update to trusted software or library |
| Legal | Compelled disclosure | Subpoena, court order, national security letter — consider sovereign cloud jurisdictional protections |
| Legal | CLOUD Act request | Cross-border data request to US providers |
| Data | AI training ingestion | Prompts or data used to train AI models |
| Data | Metadata analysis | Patterns from timestamps, locations, contact graphs |
| Data | Backup exposure | Unencrypted backups accessed by provider or attacker |
Physical Attack Surface
| # | Asset | Physical Access Point | Adversary | Mitigation in Place? |
|---|---|---|---|---|
| Example | Laptop | Hotel room, airport, coworking space | Opportunistic thief, targeted attacker | FileVault enabled, firmware password set |
| 1 | Y/N: | |||
| 2 | Y/N: | |||
| 3 | Y/N: |
Section 5: Current Protections Assessment
Document what protections you already have in place. Be honest — overestimating your current security is the most common threat modeling error.
Authentication and Access Controls
| Protection | Status | Details |
|---|---|---|
| Password manager | ☐ Yes ☐ No ☐ Partial | Tool: ___ Unique passwords for all accounts? ☐ Y ☐ N |
| Two-factor authentication (2FA) | ☐ Yes ☐ No ☐ Partial | Method: ☐ SMS ☐ TOTP app ☐ Hardware key ☐ Passkey |
| Hardware security key (YubiKey, etc.) | ☐ Yes ☐ No | For which accounts? ___ |
| Biometric locks (devices) | ☐ Yes ☐ No | Devices: ___ |
| Account recovery options reviewed | ☐ Yes ☐ No | Recovery email/phone number secured? ☐ Y ☐ N |
Encryption
| Protection | Status | Details |
|---|---|---|
| Full-disk encryption | ☐ Yes ☐ No ☐ Partial | Tool: ___ (FileVault, BitLocker, LUKS) |
| Encrypted messaging | ☐ Yes ☐ No ☐ Partial | Tool: ___ (Signal, Threema, Wire) |
| Encrypted email | ☐ Yes ☐ No ☐ Partial | Tool: ___ (Proton Mail vs Gmail, PGP, S/MIME) |
| Encrypted cloud storage | ☐ Yes ☐ No ☐ Partial | Tool: ___ (Tresorit, Proton Drive, Cryptomator) — see our encrypt cloud storage guide |
| Encrypted backups | ☐ Yes ☐ No ☐ Partial | Tool: ___ Location: ___ |
| VPN usage | ☐ Yes ☐ No ☐ Partial | Provider: ___ Always-on? ☐ Y ☐ N |
Data Hygiene
| Protection | Status | Details |
|---|---|---|
| Regular account audit / deletion | ☐ Yes ☐ No | Frequency: ___ |
| Data broker opt-out | ☐ Yes ☐ No ☐ Partial | Services used: ___ |
| Social media privacy settings reviewed | ☐ Yes ☐ No | Last reviewed: ___ |
| AI tool privacy settings (training opt-out) | ☐ Yes ☐ No ☐ Partial | Tools covered: ___ |
| Browser privacy configuration | ☐ Yes ☐ No | Ad blocker: ☐ Y ☐ N Tracker blocking: ☐ Y ☐ N |
Operational Security
| Protection | Status | Details |
|---|---|---|
| Compartmentalization (separate identities) | ☐ Yes ☐ No | Personal vs. professional separation? ☐ Y ☐ N |
| Secure communication protocols with contacts | ☐ Yes ☐ No | Contacts using encrypted channels? ☐ Y ☐ N |
| Physical security awareness | ☐ Yes ☐ No | Screen privacy, device custody, clean desk? |
| Incident response plan | ☐ Yes ☐ No | What happens if a device is lost or an account is compromised? |
Section 6: Gap Analysis
Cross-reference your assets (Section 2), attack vectors (Section 4), and current protections (Section 5) to identify gaps.
Gap Identification Table
| # | Asset | Threat | Current Protection | Gap | Risk Level |
|---|---|---|---|---|---|
| Example | Email archive | Compelled disclosure via CLOUD Act | None (Gmail is US-hosted) | Email hosted in US jurisdiction; provider can be compelled to disclose | High |
| Example | AI chat history | Training data ingestion | Partial (opted out of ChatGPT training) | Claude, Gemini, and embedded AI tools not audited | Medium |
| 1 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 2 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 3 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 4 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 5 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 6 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 7 | ☐ Low ☐ Med ☐ High ☐ Critical | ||||
| 8 | ☐ Low ☐ Med ☐ High ☐ Critical |
Section 7: Priority Actions
Based on the gap analysis, create a prioritized action plan. Order by risk level (Critical first) and effort (quick wins first within each risk level).
Action Plan
| Priority | Gap (from Section 6) | Action | Effort | Cost | Deadline | Status |
|---|---|---|---|---|---|---|
| Example | Email in US jurisdiction | Migrate to Proton Mail (Swiss jurisdiction) | Medium (migration time) | $48/yr | 30 days | ☐ Not started |
| Example | No hardware 2FA | Purchase 2 YubiKeys, register on critical accounts | Low | $50-100 | 7 days | ☐ Not started |
| 1 | ☐ Low ☐ Med ☐ High | ☐ Not started ☐ In progress ☐ Done | ||||
| 2 | ☐ Low ☐ Med ☐ High | ☐ Not started ☐ In progress ☐ Done | ||||
| 3 | ☐ Low ☐ Med ☐ High | ☐ Not started ☐ In progress ☐ Done | ||||
| 4 | ☐ Low ☐ Med ☐ High | ☐ Not started ☐ In progress ☐ Done | ||||
| 5 | ☐ Low ☐ Med ☐ High | ☐ Not started ☐ In progress ☐ Done | ||||
| 6 | ☐ Low ☐ Med ☐ High | ☐ Not started ☐ In progress ☐ Done | ||||
| 7 | ☐ Low ☐ Med ☐ High | ☐ Not started ☐ In progress ☐ Done | ||||
| 8 | ☐ Low ☐ Med ☐ High | ☐ Not started ☐ In progress ☐ Done |
Quick Win Checklist
These actions take less than one hour each and immediately improve your security posture:
- Enable 2FA on your top 5 most critical accounts (email, bank, password manager, cloud storage, social media)
- Review and remove unnecessary account recovery options (old phone numbers, insecure recovery emails)
- Enable full-disk encryption on all devices (FileVault on Mac, BitLocker on Windows, LUKS on Linux)
- Install a hardware-key-compatible password manager if you do not already have one
- Opt out of AI training for all AI tools you use (ChatGPT, Claude, Gemini — check settings for each, or review our AI compliance checklist)
- Review app permissions on your phone and revoke unnecessary access
- Set up a separate browser profile for sensitive activities (banking, email, healthcare)
- Configure DNS-over-HTTPS (NextDNS, Cloudflare 1.1.1.1, or Quad9)
- Check haveibeenpwned.com for compromised credentials
- Remove your profile from at least 3 data broker sites
Section 8: Threat Model Summary
Fill in this summary after completing all sections. This is your reference document for security decisions.
Subject: _______________________________________________
Top 3 assets by sensitivity:
Most likely adversaries:
Highest-risk gaps:
Immediate actions (next 7 days):
Medium-term actions (next 30 days):
Next review date: _______________________________________________
Reviewed by: _______________________________________________
Threat Model Maintenance
A threat model is not a one-time exercise. Review and update on this schedule:
| Trigger | Action |
|---|---|
| Scheduled review date arrives | Complete full worksheet again |
| You change jobs or roles | Reassess adversaries and assets |
| You move to a new jurisdiction | Reassess legal threats |
| A breach affects a service you use | Reassess that asset’s attack surface |
| You adopt a new AI tool or SaaS product | Add to asset inventory and assess |
| Your personal circumstances change (public profile, relationship, travel) | Reassess physical and social threats |
| A new regulation takes effect in your jurisdiction | Reassess compliance requirements |
This worksheet is maintained by Stealth Cloud. It is provided as a practical security planning tool. Threat modeling is context-dependent — a worksheet cannot replace professional security consultation for high-risk individuals or organizations.