Blog
threat-modeling stride opsec security engineering estate-planning

Threat Modeling Your Own Life: Applying STRIDE to Personal OPSEC and Estate Planning

June 12, 2026

Microsoft's STRIDE framework was built for application security. It works just as well on personal OPSEC and estate planning — spoofing your identity, tampering with beneficiary designations, denial of service on your own life. A walk-through.

image.jpg

A Security Framework, Pointed Sideways

If you've worked anywhere near application security in the last twenty years, you've probably been in a meeting where someone drew a box, drew an arrow, and started calling out STRIDE categories. STRIDE is Microsoft's threat modeling framework from the early 2000s. It's older than half the engineers using it. It's so deeply embedded in security culture that most teams who use it can't quite remember where it came from.

The acronym stands for six categories of threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. The framework's pitch is that if you systematically walk through these six categories against each component of your system, you'll surface threats you'd otherwise miss.

This works. It's been validated by a generation of security engineers. What almost no one does is apply it to themselves.

Which is a shame, because the framework happens to be unusually well-suited to the threat modeling problem you actually face every day. Specifically: how could the structure of my digital life fail, and who would benefit from it failing? That's a threat model. The components are your accounts, devices, identity, and the people in your life. The attackers include criminals, but also include drift, decay, and your own future self.

Let's walk it through.

Spoofing: Who Can Pretend To Be You?

Spoofing is the threat of identity impersonation. In a corporate threat model, it's "can an attacker authenticate as a legitimate user?" In a personal threat model, it's "who could plausibly convince an institution they are me?"

The answers are uncomfortable. Your bank, your email provider, and your phone carrier have all set up systems that let somebody claim to be you, given some combination of personal information and a sufficiently sympathetic support agent. The combination that works varies by institution, but it's almost always less than you'd hope.

Specific spoofing risks worth listing on your personal threat model:

  • SIM swap. Someone convinces your carrier to port your phone number to their SIM. They now receive your SMS 2FA codes.
  • Recovery email takeover. Someone gets into the recovery email for your important accounts. They can now reset everything chained to it.
  • Death-window spoofing. After you die, before institutions know, someone with knowledge of your information impersonates you to drain accounts. (This is what the Greg Biffle case looked like.)
  • Voice impersonation. AI voice cloning is now consumer-grade. Phone-based authentication assumes a voice belongs to the person.

Mitigation: hardware-backed 2FA wherever possible, phone-carrier port-out PINs, recovery email hardening, and — critically — a plan that closes the death-window quickly.

Tampering: What Can Be Altered Without Your Knowledge?

Tampering is the threat of unauthorized modification. In corporate threat modeling, it's "can an attacker change data?" In personal threat modeling, it's "what records of mine could be altered without me noticing?"

Most people aren't watching most of their records most of the time. Your credit report. Your medical records. Your power-of-attorney filings. Your beneficiary designations on retirement accounts. These get changed by institutions, by mistakes, by mergers, by adversaries, and the change is usually invisible until you specifically look.

The single most consequential tampering threat in a personal threat model is beneficiary drift. Beneficiary designations on insurance policies, retirement accounts, and brokerage accounts often override what your will says. Someone who tampers with these — either intentionally or by neglecting to update them — can redirect substantial assets.

Mitigation: annual reviews of beneficiary designations, credit freezes, alerts on key accounts, and a written record of what "correct" looks like that your family can compare against.

Repudiation: What Can You (or Others) Deny Doing?

Repudiation is the threat that someone takes an action and then plausibly denies they took it. In a corporate context, it shows up as audit logs, signed transactions, and non-repudiable receipts.

In a personal context, repudiation is what makes contested estates miserable. Did Dad sign this codicil? Did Mom intend to leave the house to the second spouse? Did the deceased grant Power of Attorney willingly, or were they pressured? Was that wire transfer the day before death authorized?

The defense against repudiation is documentation. Not because the documents themselves prevent disputes — they don't — but because they shift the burden of proof in a contested case. Notarized documents, witnessed signatures, video records of important conversations, paper trails of decisions.

This is the easiest STRIDE category to underinvest in until it matters, at which point investing in it is no longer possible.

Information Disclosure: What Leaks?

Information disclosure is the threat of unauthorized read access. In personal threat modeling, this is the category most people think of as "security" — the thing you're trying to prevent.

The categories of information that, in your personal life, must not leak:

  • Your passwords and authentication secrets
  • Your financial account details
  • Your medical history (especially anything insurance might use against you)
  • Personal information that enables spoofing (mother's maiden name, etc.)
  • Sensitive personal documents (wills, custody arrangements, prenups)

The categories that should leak under specific conditions:

  • Your access to family, on your death
  • Your medical history, to doctors you authorize
  • Your business records, to your successors

The two lists are in tension. Real personal security is about conditional disclosure: never to attackers, sometimes to specific people under specific circumstances. Most of the tools available to consumers (password managers, encrypted email) do an excellent job of the first half and a terrible job of the second.

This is exactly the gap a zero-knowledge deadman switch is designed to fill. Encrypted at rest, controlled by you while you're around, delivered to specific people when a specific trigger fires.

Denial of Service: What Stops Working?

Denial of service in a personal context isn't really about your own life going down (though it sometimes is). It's about your family's access to you going down. Or, more strangely, your access to your own digital life being denied.

Real scenarios:

  • Account locked out. You're traveling, you can't reach your 2FA device, the system won't let you in.
  • Service shutdown. The cloud provider you stored everything in goes out of business or shuts down your account.
  • Family lockout. You die, your spouse can't reach any of your accounts because the keys went with you.
  • Self-DoS. You set up security so paranoid that you can't operate your own life under stress (lost phone, illness, travel).

The last one is funnier than it sounds. People who treat personal security as a maximization problem regularly build systems that fail catastrophically the first time real life disrupts them.

Elevation of Privilege: What Lets Someone Become "More" Of You?

Elevation of privilege is the threat that an attacker who has some access gets more access than they should. In personal threat modeling, this is the chain-reaction problem.

The classic chain: phisher gets your email password. From there, they reset your bank login. From the bank, they push a transfer. From the email, they pivot to your other accounts — each of which thinks it can verify you via email. Each access point unlocks the next.

The single highest-priority privilege escalation to defend against in a personal threat model is your primary email account. We've written about this elsewhere on the blog — email is the root credential of your digital life. Compromise of email is privilege escalation to almost everything.

Mitigation: hardware 2FA on email. Recovery email also hardened. Email-account credentials never reused. Treat your primary email like infrastructure, because that's what it is.

Now What

If you sat with this for thirty minutes and walked through each of the six categories for your own life, you'd find five to ten things you hadn't thought about that you should fix. Most of the fixes are individually small. Collectively, they meaningfully change what an attacker, a fraudster, or a confused family member can do to you or to your estate.

This is the part of security culture worth borrowing. Not the vocabulary. The habit of systematically asking adversarial questions about your own systems, and then doing something about the answers. STRIDE is a perfectly good framework for it. Use it on yourself.

Killswitch is built around the personal threat model this post lays out: zero-knowledge to defend information disclosure, conditional delivery to handle elevation-of-privilege, audit logs for repudiation. The same security vocabulary your team uses at work, applied to the part of life nobody else is defending. Get started today