Rethinking Threat Models for the Modern Age

Have you ever wondered if the person you put as an emergency contact will answer the call or respond in a timely manner? Would they listen to the voicemail that was left or assume it was spam?

A meme making its rounds on social media says otherwise: “When I have to fill out a form that asks for ‘who to call in the case of an emergency’… I always put ‘ambulance’ because no one in my family is going to answer a call from an unknown number.”

What begins as a lighthearted jab at modern communication habits quickly reveals a more troubling reality. The tethered leash of mobile communication leads many to enable “Do Not Disturb”.  Many ignore calls or send them to voicemail.  Another set rarely checks voicemails. The shift towards text-based communication has led to similar behaviors with text messages. 

This meme, in its humor, hints at a significant issue that software vendors and security professionals must grapple with —unintended consequences that result in legitimate threats.

The Shift in Communication Habits

There’s been an interesting shift in preferring asynchronous communication like text messaging. Whether it is driven from the significant increase in spam calls or the perception of multitasking and increased productivity, more often than not, calls will go directly to voicemail.  It also isn’t unusual for those voicemails to go unheard.

Anecdotally, I know people who leave their voicemail boxes full because they got so many spam calls they didn’t want to bother erasing them.  

Unintended Consequences in Application Use

The same is happening with text messages.  Alert fatigue is a concept where users ignore or disregard software notifications.  It’s basically what has happened with phone calls. People got tired of getting calls they didn’t want when they didn’t want them and now ignore it.

Now imagine this scenario playing out in an application designed for critical communication. Perhaps it’s an app that sends alerts to parents when their child’s school is in lockdown, or a healthcare app that delivers time-sensitive information. What happens when these calls or messages go unanswered? 

In the same vein, think about how these communication shifts affect user experience across various applications. In a world where people are less likely to answer a call, are your application’s alerts or notifications as effective as they should be? What if your app is designed with the assumption that users will pick up their phones when it rings, but the reality is that they don’t?

These are not just hypothetical situations. Real-world examples abound of missed emergency notifications or delays in critical communication due to unanticipated user behavior. The impact is clear: the consequences of these shifts in communication habits can undermine the very purpose of an application, leading to user frustration, decreased trust, and in some cases, real harm.

And the thing is, this is happening in text messaging as well.  How many text messages do you get from rewards cards or automated systems?  All of those membership forms that ask you whether it is okay to text start to add up.

Threat Modeling Beyond the Workflow

Traditional threat modeling focuses on identifying and mitigating risks within a defined workflow. This often includes threats like malicious attacks, unauthorized access, system failures, and other intentional activities. While these are crucial elements of any threat model, they are not the only threats that exist.

The problem arises when threat models are built solely around these traditional risks, ignoring the broader context in which the application operates. In doing so, they miss critical external factors—like the impact of spam calls, user behavior changes, and evolving societal expectations—that can introduce significant vulnerabilities.

Take, for example, a mobile app designed to send emergency alerts. If the threat model doesn’t consider the possibility that users might not answer unknown numbers, the app’s effectiveness is drastically reduced. Similarly, an application that assumes immediate user interaction might fail if it doesn’t account for the fact that many users are conditioned to avoid phone calls or automatically send to voicemail.

Expanding the Scope of Threat Models

So, how can we ensure that our threat models are comprehensive? The key is to expand our thinking beyond just what can go wrong within the workflow and to consider the broader ecosystem in which our applications live.

1. Integrating External Threats: A modern threat model must account for external factors that could impact the application’s functionality and effectiveness. This includes not only the technical risks but also the human factors that influence how the application will be used.
2. Proactive Design: Developers and security teams need to be proactive in designing systems that anticipate and mitigate these broader risks. This means thinking beyond traditional attack vectors and considering how changes in communication behavior, for example, could affect the application’s performance.
3. Collaboration with Behavioral Experts: Security is not just a technical issue; it’s also a behavioral one. Involving experts who understand user behavior and communication trends can provide valuable insights that help shape more robust threat models. By collaborating with behavioral scientists or communication experts, teams can better anticipate and address these less obvious threats.

Conclusion: Rethinking AppSec and Threat Models for the Modern Age

As technology continues to evolve, so too must our approaches to security. The meme about putting “ambulance” as an emergency contact serves as a humorous reminder that sometimes, the biggest threats aren’t the ones we expect. In today’s world, where communication habits have shifted and user behavior is constantly evolving, it’s crucial to rethink how we approach threat modeling.

If your current threat models focus solely on what can go wrong in the workflow, it’s time to expand your perspective. By considering the unintended consequences and external factors that influence how your application will be used, you can build more resilient, effective, and secure systems.

The meme about emergency contacts underscores an essential truth: security isn’t just about protecting against the obvious threats; it’s about anticipating the unexpected ones as well. As we continue to navigate the complexities of modern communication and technology, let’s ensure that our threat models are as comprehensive and forward-thinking as the applications we build.