Threat modelling is an exercise in imagining how things could go wrong—how a third party could tamper with your data, impersonate you, or perform other undesirable actions. It's an approach used in information security to identify and remove weak points in a system before they can be exploited.
For your own safety online, it's important to assess the capabilities and sophistication of your theoretical adversary or adversaries. Are you concerned only with hackers that might collect your data as a side effect of a larger breach? Do you have reason to think that you might be targeted personally, i.e., as part of a program of harassment?
Some questions to ask yourself when considering your threat model:
- How many services do I use? For what purposes?
- What data or other resources do I have that would be valuable to an adversary?
- What organizations do I represent? Do these organizations hold data or other resources that could be targeted?
- Are there specific groups that might single me or an organization I represent out for harassment?
- What resources (time, money, social platform, technical sophistication) might be available to potential adversaries?
It's reasonable to ask why an assessment of possible threats is necessary for securing yourself online. Isn't it possible to follow security best practices that will protect you in all situations?
Unfortunately, when it comes to computer security, there is always a trade-off between convenience and protection. The more secure you need to be, the more knowledge and effort will be required to approach that level of protection. Guarding yourself against state actors or advanced persistent threats requires significant technical knowledge and resources, while protecting yourself against mass-targeted attacks is within the reach of the average computer user.