Who Are 'We?' Power Centers in Threat Modeling
I had planned to start 2025 with a more positive note, but the loss of Amit Yoran, who was only a few years older than me, has hit me hard. I first met Amit at a Computers, Freedom and Privacy conference in the early 90s. He was in his West Point uniform, which was not typical for attendees of the conference. So I went over and struck up a conversation, and we continued over probably 30 years. I miss him. His memorial service will be on Jan 10, in Arlington, VA.
Which is relevant because last year, we lost another great one, and this post was planned to share my draft paper for the Festschrift in honor of Ross Anderson.
The paper is Who Are “We”? Power Centers in Threat Modeling, and the abstract reads: “I examine threat modeling techniques and questions of power dynamics in the systems in which they’re used. I compare techniques that can be used by system creators to those used by those who are not involved in creating the system. That second set of analysts might be scientists doing research, consumers comparing products, or those trying to analyze a new system being deployed by a government. Their access to information, skills and choices are different. I examine the impact of those difference on threat modeling methods.”
The paper is inspired not only by Ross and his work on power in security, but also by conversations, most importantly with Julia Slupska and Lorie Tanczer, who graciously spent an afternoon educating me about the challenges of threat modeling for intimate partner violence. Work by Becky Kazinsky was also very influential to my thinking around these power centers.
I’m open to comments and feedback through Jan 10th, when I’ll need to finalize and submit.