Andrew Steven PierceKeep Private Things Private
LibraryJan 21, 20262 min readAndrew Steven Pierce

Threat Modeling for Normal People (No Paranoia Required)

A 15-minute framework for choosing real privacy priorities.

Operational Privacy

You don't need to be famous to be a target, and you don't need paranoia to be prepared.

Threat modeling is just clarity:

  • What am I protecting?
  • From whom?
  • How likely is it?
  • What's the simplest change that meaningfully reduces risk?

Here's a 15-minute framework that produces a real plan (and a "don't bother" list).

Step 1: Name what actually matters (3 minutes)

Write 3–5 things that would hurt if exposed or disrupted.

Examples:

  • Home address + daily routines
  • Kids' identities or school details
  • Business continuity (accounts, payments, access)
  • Reputation and ability to operate
  • Team safety

If you can't name it, you can't protect it.

Step 2: Identify likely adversaries (3 minutes)

Most people aren't dealing with spies. They're dealing with:

  • data brokers + aggregators
  • scammers and impersonators
  • opportunists who use public info for fraud
  • angry strangers, harassment, or pile-ons
  • "ordinary exposure" compounding over time

Threat modeling is about likelihood, not fantasy.

Step 3: Pick your top exposure channels (4 minutes)

Choose the top three ways those adversaries can reach you.

Common channels:

  • public records (property, business filings, court docs)
  • people-search sites and broker listings
  • overshared social profiles (network visibility, location, routines)
  • reused identifiers across too many services

Step 4: Choose 3 high-leverage controls (4 minutes)

Now pick three actions that cost little and remove a lot.

Examples:

  • Use a dedicated business address for public filings (where appropriate)
  • Separate public and private contact channels
  • Remove your top broker listings
  • Lock down public profiles and remove obvious leakage
  • Standardize "official channels" so impersonators stand out

Goal: reduction, not perfection.

Step 5: Make a "don't bother" list (1 minute)

Write what you're not doing. This prevents burnout.

Examples:

  • I won't chase every old forum post
  • I won't obsess over one-off leaks
  • I won't use illegal/gray tactics
  • I won't optimize for perfection at the cost of sanity

Your 15-minute output

You should end with:

  • 3 things you're protecting
  • 3 likely exposures
  • 3 actions you'll take this month
  • 3 things you'll ignore

Privacy doesn't need a bunker. It needs clarity.

Educational only; not legal advice.