Who Are We Kidding with Attacker-Centered Threat Modeling?

I’ve spoken for over a decade against “think like an attacker” and the trap of starting to threat model with a list of attackers. And for my threat modeling book, I cataloged every serious grouping of attackers that I was able to find. And as I was reading “12 Ingenious iOS Screen Time Hacks,” I realized what they’re all missing: kids. Kids, apparently, are very clever about getting around Apple’s Screen Time. And in fact, it’s not just kids that are missing from the lists. Family members in general, and especially estranged or former partners are an important group of threat actors. And they’re a group who are intensely difficult to protect against. I’ve been talking about the issue of device management as a new subset of Elevation of Privilege since I read Thermostats, Locks and Lights: Digital Tools of Domestic Abuse in 2018.

System designers need to consider the ways attackers with some access can abuse that access. The problems are some of the most fascinating and tricky I’ve encountered. For example, if someone’s call history includes calls to a domestic violence hotline, that can trigger further abuse. Do you allow the call history to be edited? If someone is using private browsing mode to avoid showing history, do you create a visual difference? I’ve had advocates tell me that such differences can trigger abuse when people “are caught” “hiding” their browsing. The issues are simpler with kids, but I know of few parents who are happy with the tools they have. This trickiness is an opportunity for security designers to shine, and to make a real difference.

This yet is another way where starting from a list of attackers will lead you to miss important threats: things that impact your customers.

Previously: “Think Like an Attacker” is an opt-in mistake, Think Like An Attacker?, The Discipline of “think like an attacker”, Think Like An Attacker? Flip that advice! and Modeling Attackers and Their Motives.

“Kid laughing at your design” photo by Ben White, Unsplash.

1 Comment on "Who Are We Kidding with Attacker-Centered Threat Modeling?"


  1. Right, I have been trying to convince the UK Open Banking and OpenID Financial API teams to stop writing attack models to no avail. It seems them found some German professor who has sold them that this will be the best way to prevent attack. If some bank in the UK wants to allow you to put you money in one of their schemes, run away as far and as fast as you can.

Comments are closed.