Threat Me Right: A Human HARMS Threat Model for Technical Systems

TL;DR

This paper addresses the gap in threat modelling for interpersonal abuse within technology-enabled environments. It introduces HARMS, a human-centered threat model comprising Harassment, Access and Infiltration, Restrictions, Manipulation and Tampering, and Surveillance, to identify non-technical harms in shared devices. The authors apply HARMS to a smart speaker case study and compare it with STRIDE, showing how HARMS reveals threats omitted by traditional models and complements existing frameworks. The work argues for integrating HARMS into threat modelling to design safer IoT and domestic-use technologies and outlines future work on threat actors, environments, and intervention design. Practical impact includes better protection against technology-facilitated abuse in households and workplaces.

Abstract

Threat modelling is the process of identifying potential vulnerabilities in a system and prioritising them. Existing threat modelling tools focus primarily on technical systems and are not as well suited to interpersonal threats. In this paper, we discuss traditional threat modelling methods and their shortcomings, and propose a new threat modelling framework (HARMS) to identify non-technical and human factors harms. We also cover a case study of applying HARMS when it comes to IoT devices such as smart speakers with virtual assistants.