What is a threat model?

A threat model is an explicit assessment of who might attack you, what they want, what attacks they could launch, and what defenses make sense given the threats. Threat models matter because defenses optimized against the wrong threats waste resources and miss real risks. Coherent threat models lead to focused, effective defenses.

What threats do knowledge workers actually face?

Three primary categories. Volume threats (cold outreach, spam, unsolicited solicitation consuming attention). Fraud threats (BEC, vendor wire fraud, credential phishing, account-recovery abuse). Data exposure (provider breaches, account compromise leading to email content access). Each category has different defenders and different defenses.

What threats do knowledge workers NOT face?

Most knowledge workers are not the target of nation-state attacks, sophisticated targeted surveillance, or advanced persistent threats. The attacker base for typical knowledge workers is mass-scale fraud operations, opportunistic credential phishing, and adjacent collateral from business attacks. Building a defense against APT-level threats wastes resources and produces friction.

What does a realistic defense stack look like?

Hardware-key MFA on the primary email account, structural inbox-layer filtering (Rythm) for volume reduction, awareness of canonical fraud patterns, cyber insurance for residual financial risk, and a password manager. Total cost is roughly $20-40 per month. Setup takes a couple of hours.

Should I build a defense for what might happen?

Build a defense for what is likely, not for what is possible. The correct trade-off is between probability-weighted threats and the operational cost of defending against them. APT-level defenses are appropriate for actual APT-level targets. For most knowledge workers, the defenses optimized against mass-scale fraud and credential phishing are the right fit.

The Threat Model of an Average Knowledge Worker

Most knowledge workers do not have a coherent threat model. Here is what the actual threats look like in 2026 and what realistic defenses fit.

Most knowledge workers do not have a coherent threat model. They have a vague sense that “security matters” but no specific assessment of who might attack them, what attacks they could face, and what defenses fit those specific threats. The result is either no security investment (because the threats feel hypothetical) or misaligned investment (defending against threats that do not match the actual risk).

This post is the realistic threat model for the average knowledge worker in 2026 and what defenses actually fit.

Who the Attackers Actually Are

For an average knowledge worker, the realistic attacker base:

Mass-scale fraud operators. Large-scale operations sending millions of phishing emails, vendor impersonation attempts, and BEC campaigns. The attacker is not specifically targeting you; you are one of millions of recipients. The economics work because volume produces a small percentage of successful attacks, and the cost per send is approximately zero.

Opportunistic credential phishers. Operators who phish credentials and then explore what they captured. If your email is captured, the attacker logs in and looks for valuable accounts to pivot to (banking, financial services, business accounts). The attacker did not pick you; you became valuable when your credentials were compromised.

Adjacent collateral from business attacks. When attackers target your employer, your customers, or your vendors, you can be caught up in the operation. The attacker is targeting the organization, but you are exposed because your email is connected to the organization’s threat surface.

Disgruntled individuals. A small subset of attacks come from specific individuals (former employees, ex-partners, competitors). These are targeted but not nation-state-sophisticated.

What the average knowledge worker is generally NOT facing:

Nation-state attackers. Unless you are specifically a target (journalist working on national security topics, activist in repressive regimes, defense contractor employee, government official), nation-state attacks are not your threat model.

Sophisticated targeted surveillance. Building defenses against TAO-level attackers is appropriate for specific targets; it is not appropriate for the average knowledge worker.

Advanced persistent threats with months of patience. APTs are the preserve of high-value targets. Most knowledge workers are not high-value enough to justify the operational cost.

The mismatch between perceived threats and actual threats is one of the largest sources of misaligned security investment.

What Attacks the Realistic Threats Actually Launch

Given the realistic attacker base, the attacks that actually happen:

Mass-volume phishing. Generic credential phishing, generic BEC, generic invoice fraud. Volume-driven with low percentage success rates. Mostly caught by native filtering and gateway products.

Targeted vendor wire fraud. Attacks engineered around specific vendor relationships. Each instance is targeted but the campaigns run at low scale. Defended primarily by procedural verification.

Credential phishing followed by pivot. Initial phishing of email credentials, then exploration of what the credentials unlock. Defended by hardware-key MFA on email and downstream account-recovery hardening.

Cold outreach volume. Not malicious but consumes attention. Defended by inbox-layer filtering and unsubscribe management.

Compromised-vendor secondary attacks. A vendor’s account gets compromised, and the compromised account is used to send fraud to the vendor’s customers (you). Hard to prevent at the recipient layer; primary defense is procedural verification of unusual requests.

These five categories cover the majority of actual attack volume against knowledge workers.

What Realistic Defenses Look Like

For the realistic threat model, the realistic defenses:

Hardware-key MFA on the primary email account. The single highest-impact technical control. Defeats credential-only attacks, which are the entry point for most cascading compromises. Cost: $50-70 for a YubiKey, one-time. Setup time: 30 minutes.

Inbox-layer filtering for volume reduction. Reduces the noise of cold outreach and mass impersonation campaigns. The cover charge gate makes mass-volume attacks uneconomical and improves the signal-to-noise ratio of accepted mail. Cost: $1.65/month for Rythm. Setup time: 12 minutes.

Awareness of canonical fraud patterns. Knowing what CEO impersonation, vendor wire-update fraud, and account-recovery phishing look like enables verification before acting. Cost: time to read this and similar content. Free.

Procedural verification for any unusual financial request. Verify by phone using a known number before acting on wire transfers, payment changes, or sensitive data requests. Cost: a few minutes per verification, only when triggered.

Password manager. Generates and stores unique passwords for every service. Reduces credential reuse across services. Cost: $30-60/year for a paid plan. Setup time: a few hours to migrate.

Cyber insurance with social-engineering coverage. Financial coverage for the residual risks the structural defenses do not catch. Cost: typically a few hundred dollars per year for personal coverage; included in many professional policies.

The total cost of the stack is roughly $20-40 per month for someone implementing it from scratch. The marginal cost is much lower if you already have email subscriptions and professional liability coverage.

What Defenses Are Misaligned

Specific defenses that are commonly purchased but do not match the realistic threat model:

Enterprise email security gateways. Designed for organizations with security teams. Not appropriate for individual knowledge workers.

APT-defense products. Designed for high-value targets facing nation-state threats. Overkill and expensive for average users.

Identity theft monitoring services. Catch some incidents after they happen. Marginal value compared to structural defenses that prevent incidents.

Full-scope security audits. Useful for organizations with regulatory obligations. Not necessary for individual knowledge workers without specific compliance requirements.

Constant security training. Reduces click-through but plateaus at 5-10%. Worth doing once or twice; not worth ongoing per-user investment for individuals.

The pattern: tools designed for higher-threat profiles than the average knowledge worker actually faces. Buying these tools wastes money and produces operational friction without proportional benefit.

How to Right-Size Your Defense

Practical approach:

Step one: identify your actual threat profile. Are you a journalist working on sensitive topics? An activist? A defense contractor? A government official? If yes, your threat model is different and you need stronger defenses. If no, you are an average knowledge worker.

Step two: implement the realistic stack. Hardware-key MFA, inbox-layer filtering, password manager, awareness, cyber insurance. Total cost roughly $20-40/month.

Step three: stop there. Resist the urge to add APT-level defenses you do not need. Resist the urge to buy enterprise products designed for organizations.

Step four: revisit when your situation changes. If you take a job that increases your threat profile (new prominent role, sensitive industry transition, public-figure status), reassess.

The structural insight: the right defenses are determined by the actual threats, not by the available products.

A Specific Honest Note

Most knowledge workers do not need APT-level defenses. The realistic threats are mass-scale fraud, opportunistic credential phishing, and volume of unsolicited mail. The realistic defenses are hardware-key MFA, structural inbox filtering, password management, and cyber insurance.

The combination is meaningfully effective, accessible to non-technical users, and costs roughly $20-40 per month. For most knowledge workers, this is the right stack.

Rythm is one component: the volume-reduction layer at the inbox. The other components are necessary too. The composed stack covers what any single tool cannot.

For the related guides, see the threat model of a journalist (forthcoming), the threat model of an activist (forthcoming), the threat model of an executive (forthcoming), MFA doesn’t stop phishing: here is what it does, and the best email security for solo professionals roundup. For the broader frame, see what is an email paywall and phishing awareness training: what it catches and what it misses. Rythm is $1.65 per month, cancel anytime.