Resilience: Threat modeling
This is a more in-depth overview of the fourth step of a resilience framework proposed and described in the podast Building Up: Resilience by Kory and Kellan (K&K). This step is described in Episode 8: Threat Modeling. Please refer to this overview page for a summary of the overall resilience framework, and on this page you can see my more in-depth overview of the previous (third) step of the framework.
Just like the step previous step Consider your variables, this step (Threat modeling) influences how one emphasizes the various pillars in the Consider the pillars step, and is used to tackle the questions. This step is very related to the previous step about the variables, but here with an emphasis on the risk landscape. “How will climate change affect my area?”, “How is the political landscape?”, “How dependent is my region on energy / materials from other regions in the world?, etcetera.
Just like for the Consider your variables step, for this step it is also recommended to setup a spreadsheet or similar to go over various threats in a systematic way. A website called The Prepared is mentioned early on in the episode, and some of the things from a blog post on threat modeling from that page are mentioned in this episode.
The purpose of a threat model is to examine your preparedness by identifying assets, threats, defenses, and vulnerabilities. In short, the process answers the questions:
- “What am I preparing for?”
- “What do I have?”
- “How can I protect it?“ (also emphasized in the episode that it’s important to be aware of “How am I unable to protect it?”, i.e. to know what’s in one’s control)
- “What could go wrong?”
- “What am I missing, overlooking, or not seeing?”.
Note that having gone through the previous steps in the resilience framework is important for this threat modelng step. For example, each individual’s variables (see previous step) will very much influence this threat modeling step.
Some of the aspects / things one may have to include into one’s threat modeling:
- Climate change / natural disasters (e.g. heat waves, flooding)
- Utility failures (e.g. power outages, gas shortages, plumbing issues, municipal water failures, internet outage,
- Systemic issues (e.g. supply chain shortages, or a pandemic)
- Localized violence (e.g. civil unrest, mass shootings, riots, rates of local crime)
- Wars (e.g. civil wars, international wars, nuclear war)
- Terrorism (e.g. cyber attacks, bombings)
- Structural issues (e.g. building collapse, or building fire)
- Industrial accidents (e.g. gas leakages, hazardous waste leakages,)
- Government failure (e.g. collapse of government or power vacuums, loss of law and order,
- Individual issues (e.g. job loss)
- Economic problems (e.g. recession, depression, inflation)
For each identified possible threat, it is recommended to assess its with respect to the following criteria:
- Impact (prioritize higher over lower impact threats)
- Likelihood (prioritize the more likely threats over the less likely ones)
- Mitigation costs (reduce priority of a threat if the monetary cost for preparing for it is too high)
- Opportunity cost (a bit similar to mitigation cost, but more in terms of invested time; preparing for threat X means less time can be spend on threat Y; it can also be that threat X and threat Y require non-compatible measures). Addition by me: The opposite of opportunity cost is also something to keep in mind, i.e. synergy between the preparedness for different threats (thus put higher priority on those which provide synergy with others).
- Addition by me: Possibility to prepare for the threat (as in, prioritize the things that are in one’s control; note that this is similar to but not identical to mitigation cost, because a high mitigation cost may still mean it is possible to prepare, even though it is very expensive, while preparing for a world-ending meteor strike simply is not)
Below are a few example threats and a potential assessment of the criteria above.
- Example #1: Meteor strikes the Earth. High impact, low likelihood, not possible to prepare for.
- Example #2: Seasonal flue. Low impact, high likelihood, low mitigation cost, low opportuniy cost.
- Example #3: Epidemic. The impact, likelihood, mitigation and opporunity cost depend on your variables (as do most threats, to varying degrees), e.g. how prevalent infectious diseases are (affects likelihood), or your pre-existing health conditions (affects impact).
It’s mentioned that it can be overwhelming to try to figure out how to prioritize threats, because it’s often hard to know the likelihood and/or impact, and it may feel like there are too many things to consider, so it’s unclear where to even start. A few things are mentioned in the episode as a response to this:
- One way to alleviate this to some extent is to consider available tools and resources for figuring this out, e.g. risk landscape maps regarding various natural disasters are often available for different geographical locations.
- Another thing is to try to go back to the principles (see [Episode 3: Principles](https://shows.acast.com/building-up-resilience/episodes/episode-3-principles) for a reminder), where _Principle 3: Effort reminds us that resilience building is like moving a long a “resilience spectrum”. Everyone is already doing some form of threat modeling in their lives, so everyone is already “on this path” to at least some extent (e.g. bringing an umbrella if it seems rain is coming soon).
- Also, if it feels overwhelming to meticulously go over all threats and rank them, most people can probably already provide a top-5 list of threats, even without a comprehensive analysis. That could be a great starting point, and then to later work on from there (again, see Principle 3: Effort).
- Related to the previous item: Note that there is often a lot of overlap in terms of what it means to be resilient against a certain type of threat. So even if you “only” get prepared with respect your identified top-3 risks, it is likely that you become prepared for many others as a “free lunch” as well.
- Finally, note that depending on your desired outcome (see the first step, Establish your desired outcome), you may or may not be interested in doing a fully systemtic analysis of the threat landscape.
The final thing mentioned in the episode is the concept of a SWOT analysis, which considers the factors strengths, weaknesses, opportunities and threats. Such an analysis can be done e.g. one oneself (i.e. list various things in the four categories), to help guide how one prioritizes various threats.