Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Human-Centered Threat Modeling in Practice: Lessons, Challenges, and Paths Forward

Warda Usman, Yixin Zou, Daniel Zappala

TL;DR

This study investigates how researchers practice human-centered threat modeling (HCTM) by conducting 23 semi-structured interviews across academia, government, and industry. It reveals that HCTM is not a fixed protocol but a continuum of practices anchored in values such as care, autonomy, and social justice, with ongoing groundwork and participant-centered threat elicitation guiding study design. The findings highlight emotional and methodological challenges, recruitment difficulties, and structural barriers that impede translating insights into real-world impact, urging shared infrastructure, interdisciplinary collaboration, and longer-term engagement with industry, policy, and communities. The paper argues for a pluralistic methodological landscape and institutional changes to sustain HCTM work, including better pathways for translating research into policy and design, while acknowledging the political constraints shaping funding and publication norms.

Abstract

Human-centered threat modeling (HCTM) is an emerging area within security and privacy research that focuses on how people define and navigate threats in various social, cultural, and technological contexts. While researchers increasingly approach threat modeling from a human-centered perspective, little is known about how they prepare for and engage with HCTM in practice. In this work, we conduct 23 semi-structured interviews with researchers to examine the state of HCTM, including how researchers design studies, elicit threats, and navigate values, constraints, and long-term goals. We find that HCTM is not a prescriptive process but a set of evolving practices shaped by relationships with participants, disciplinary backgrounds, and institutional structures. Researchers approach threat modeling through sustained groundwork and participant-centered inquiry, guided by values such as care, justice, and autonomy. They also face challenges including emotional strain, ethical dilemmas, and structural barriers that complicate efforts to translate findings into real-world impact. We conclude by identifying opportunities to advance HCTM through shared infrastructure, broader recognition of diverse contributions, and stronger mechanisms for translating findings into policy, design, and societal change.

Human-Centered Threat Modeling in Practice: Lessons, Challenges, and Paths Forward

TL;DR

This study investigates how researchers practice human-centered threat modeling (HCTM) by conducting 23 semi-structured interviews across academia, government, and industry. It reveals that HCTM is not a fixed protocol but a continuum of practices anchored in values such as care, autonomy, and social justice, with ongoing groundwork and participant-centered threat elicitation guiding study design. The findings highlight emotional and methodological challenges, recruitment difficulties, and structural barriers that impede translating insights into real-world impact, urging shared infrastructure, interdisciplinary collaboration, and longer-term engagement with industry, policy, and communities. The paper argues for a pluralistic methodological landscape and institutional changes to sustain HCTM work, including better pathways for translating research into policy and design, while acknowledging the political constraints shaping funding and publication norms.

Abstract

Human-centered threat modeling (HCTM) is an emerging area within security and privacy research that focuses on how people define and navigate threats in various social, cultural, and technological contexts. While researchers increasingly approach threat modeling from a human-centered perspective, little is known about how they prepare for and engage with HCTM in practice. In this work, we conduct 23 semi-structured interviews with researchers to examine the state of HCTM, including how researchers design studies, elicit threats, and navigate values, constraints, and long-term goals. We find that HCTM is not a prescriptive process but a set of evolving practices shaped by relationships with participants, disciplinary backgrounds, and institutional structures. Researchers approach threat modeling through sustained groundwork and participant-centered inquiry, guided by values such as care, justice, and autonomy. They also face challenges including emotional strain, ethical dilemmas, and structural barriers that complicate efforts to translate findings into real-world impact. We conclude by identifying opportunities to advance HCTM through shared infrastructure, broader recognition of diverse contributions, and stronger mechanisms for translating findings into policy, design, and societal change.

Paper Structure

This paper contains 51 sections, 1 table.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Human-Centered Threat Modeling
  4. Meta-research in Usable Security and Privacy
  5. Social, Moral, and Political Values in Science
  6. Methods
  7. Selection Criteria and Recruitment
  8. Participants
  9. Interviews
  10. Data Analysis
  11. Member Checking
  12. Researcher Positionality and Values
  13. Limitations
  14. Findings
  15. Motivation and Values
  16. ...and 36 more sections