A project of the Integrity InstituteIn the security, privacy, and counter-abuse professions, the term threat modeling describes the process of identifying, assessing, and addressing potential threats to a system. This process starts by answering two questions: "how can our system be abused" and "who would want to abuse us in that way". Understanding the who is critical because different entities have wildly different levels of technical sophistication, adaptability, patience and resources to dedicate to their objective. For example:
- Considering the actor enables platforms to gauge the sufficiency of their mitigations by comparing the alignment of the strengths of their interventions with the strengths of the adversary. An intervention that leverages a pay-gate will not prove effective against an actor like a nation state with ample access to financial resources.
- The actor also largely informs whether or not state intervention may be advisable. Legislation or regulation targeted at large corporations is likely to see a high degree of compliance, whereas state interventions that target hostile foreign adversaries or unsuspecting individuals are less likely to be effective.
These are just two examples of how looking at abuse through the actor can be a powerful vantage point. As you look through each collection, note the similarities in mechanism, cause, and motivation in the harms that these actors are responsible for.