You cannot defend against everything, and trying to leaves you exhausted and no safer. Threat modeling, in the EFF’s framing, is just answering five plain questions about a specific story or beat — and then doing the few things the answers point to. It is a half-hour of thinking that prevents a lot of wasted worry.
The five questions
- What do you want to protect?Your sources’ identities, your unpublished material, your locations, your communications — name the specific assets, not “everything.”
- Who do you want to protect it from? A petty harasser, a corporate legal team, organized crime, and a state intelligence service call for very different responses. Be specific about your adversary.
- How bad is it if you fail? An embarrassing leak and a source going to prison are not the same stakes. The consequence sets how much effort is justified.
- How likely is it that you’ll need to protect it? Separate the dramatic-but-rare from the boring-but-common. For most reporters, phishing and account takeover are far likelier than mercenary spyware.
- How much trouble are you willing to go through?A plan you won’t actually follow protects no one. Pick measures you will keep up.
Turn answers into action
The point is to right-size your effort. A reporter facing harassment and account takeover should prioritize strong, phishing-resistant account protection and good backups. A reporter on a national-security beat who could plausibly be targeted by state-grade tools should add device hardening like Apple Lockdown Mode and stricter source-contact discipline. Same questions, different answers.
Revisit it
A threat model is a snapshot, not a one-time ritual. A new beat, a hostile legal threat, travel to a higher-risk place, or a sensitive new source all change the answers. Redo the five questions whenever the situation shifts — it takes minutes.
Build the plan with help
You do not have to do this alone. The free helplines in the sources below will work through a plan with you, and our digital security for journalists guide covers the hardening steps a model usually points to. If a model surfaces a real suspected compromise, move to checking the device carefully.
















