What it is, why it matters, and how to do it without being a security expert.
This page is informational and runs entirely in your browser. No data is sent anywhere.
1) What is a threat model
A threat model is a simple description of what you are protecting, who or what you are protecting it from, and the smallest set of steps that measurably reduce the most important risks. It turns a vague feeling of worry into a concrete plan you can act on.
Plain-language version
Assets the stuff that matters such as accounts, devices, data, identity
Threats how things could go wrong such as phishing, theft, malware, account takeover, mistakes
Likelihood and impact how likely it is and how bad it would be
Controls one or two specific actions that reduce the risk
A tiny example
Asset: Primary email account
Threat: Phishing leading to account takeover
Likelihood: Medium, Impact: High
Controls: Turn on authenticator-app MFA, review forwarding rules monthly
2) Why do a threat model
Focus helps you spend effort where it matters rather than on random tips
Clarity turns security jargon into plain tasks with owners and due dates
Resilience reduces the blast radius when something does go wrong
Accountability creates a record you can share with family, a team, or leadership
3) When to do it
At project kickoff, before launching a new feature or workflow
After a major change such as new devices, travel, remote work, or a new vendor
After a security incident or near-miss
On a cadence such as once or twice per year
4) A quick workflow that works
List your top five assets devices, accounts, or data that would truly hurt to lose
Pick one likely threat for each asset rather than listing every possibility
Rate likelihood and impact using Low, Medium, High, then multiply for a quick score
Choose one small fix that reduces risk right away such as turning on MFA or enabling automatic backups
Assign an owner and a date optional but it turns ideas into action
Print or export to PDF and revisit after you complete the fixes
“I need to be technical.” You do not. Plain language and a small checklist are enough.
“It takes too long.” Ten focused minutes beats a hundred random tips.
“I must cover every threat.” You only need to address the most likely high-impact risks.
“Tools will solve it.” Tools help, but decisions about what to protect and why must come first.
6) What good output looks like
Three to ten entries, each with asset, threat, likelihood, impact, one specific control
Short notes about owners and dates if you are working as a team or family
A one page PDF you can print or share securely
7) Privacy and scope
Your model can be personal, family, or business scoped. If it includes sensitive details, store the file securely and avoid emailing it in plain text. The builder runs locally, so nothing is uploaded by default.
Legal Disclaimer: This guide and the accompanying tools are provided for educational purposes only and do not constitute legal or professional advice. CyberLife Coach is not liable for actions taken or outcomes arising from the use of this material. Use these resources only on systems and accounts you own or are authorized to manage, and always comply with applicable laws and organizational policies.