The Problem
The canonical threat-modeling guides (STRIDE from Microsoft, the OWASP Threat Modeling Cheat Sheet, the various NIST publications) were written by and for organizations that face the full threat spectrum: nation-state adversaries, sophisticated criminal groups, hacktivist movements, supply-chain attackers with multi-year operational patience.
A regulated small-to-medium business in healthcare, legal services, or fintech doesn’t face that spectrum. It faces:
- Commodity criminal traffic. Credential stuffing, phishing, ransomware-as-a-service. By volume, 95% of what comes at any internet-exposed business.
- Regulator scrutiny. Not strictly an adversary, but the highest-impact “external party reviewing your security posture” event.
- Negligent insiders. Well-meaning employees doing the wrong thing. Far more common than malicious insiders.
- Opportunistic vulnerability scanning. Automated scans looking for unpatched CVEs and misconfigurations.
- Vendor security incidents. Third parties whose compromise becomes your compromise.
The mismatch between the canonical threat-modeling guidance and the actual SMB threat profile produces threat models that are either too theoretical (worried about adversaries that won’t show up) or too granular (cataloguing 60 attack vectors that all reduce to “patch your stuff and turn on MFA”).
The pragmatic threat model is one page, identifies the four or five threats that actually matter, and maps them to specific controls.
The Approach
STRIDE — the structure used by most threat modeling — has six categories. Three are high-priority for the SMB profile; three are lower-priority. Use STRIDE as the frame, but allocate modeling time according to that profile.
High-priority categories
Spoofing. Credential theft and identity impersonation. The SMB attacker’s #1 path. Credential stuffing against your login forms, phishing of employee credentials, business email compromise.
Mitigations that matter:
- MFA universal (no exceptions, no SMS fallback if avoidable)
- SSO across SaaS (one identity to revoke, not 40)
- Adaptive auth on the login form (rate limiting, anomaly detection)
- Phishing-resistant MFA (FIDO2 / passkeys) for privileged users
Tampering. Modification of data or configuration without authorization. For SMBs this maps almost entirely to “unauthorized changes to production infrastructure” rather than data tampering, because SMB applications usually have proper data-layer controls.
Mitigations that matter:
- Change control with auditable trail (every prod change tied to a PR or ticket)
- Immutable infrastructure where possible
- Drift detection on the security-relevant subset (see the drift detection guide)
- Backups that can’t be deleted by the same identities that can touch production (immutable backups)
Information disclosure. Unauthorized read access. For SMBs in regulated industries, this is the regulator-relevant category. HIPAA breaches, GDPR violations, breach-notification requirements all live here.
Mitigations that matter:
- Encryption at rest with customer-managed keys for the data that’s regulator-relevant
- Encryption in transit (TLS 1.2+ everywhere)
- Access logs on every data store touching regulated data
- Quarterly access review (who has access, do they still need it)
Lower-priority categories
Repudiation. Denial that an action took place. Less of an SMB concern; mostly applicable to financial-transaction systems. Standard mitigation is audit logging, which you already need for the higher-priority categories.
Denial of service. Resource exhaustion. SMBs are rarely the primary target for DDoS, but they’re often collateral damage from infrastructure that wasn’t built for elasticity. Cloud-native scaling plus a CDN with DDoS protection (Cloudflare, AWS Shield Standard) handles 95% of the SMB DoS risk surface.
Elevation of privilege. Gaining unauthorized higher access. Important, but mostly an output of the other categories. If spoofing is well-controlled, EoP rarely happens via remote attackers. The realistic SMB scenario is “an engineer’s laptop gets compromised, attacker pivots to cloud admin.” Defense is endpoint security plus workstation-to-cloud access proxies.
Where to Actually Spend Effort
For the regulated SMB, four areas absorb most of the security investment. In rough order of impact-per-dollar:
-
Identity hardening. MFA universal, SSO consolidation, FIDO2 for admins, regular access reviews. The single highest-ROI security work for any SMB.
-
Backup and recovery. Ransomware is the most likely catastrophic event. Immutable backups, restore drills, and a documented recovery posture turn ransomware from a business-ending event into a 48-hour outage.
-
Vendor trust chain. Your security floor is your suppliers’ security floor. A vendor breach (think: Snowflake credentials in 2024, MOVEit in 2023) becomes your breach if you used the vendor with sensitive data. Vendor security review at procurement; annual reattestation for material vendors.
-
Documentation hygiene. Regulators don’t audit your controls; they audit your documentation of your controls. Teams that lose HIPAA audits are rarely the ones without controls. They’re the ones that have controls but can’t show them in writing. Policies, procedures, runbooks, evidence pipelines — kept current.
The Template
The one-page threat model for an SMB system or feature looks like this. Fill it in for any new system before launch, and re-review annually.
System / feature: _____________________
Owner: _____________________
Data sensitivity: ☐ Regulated (PHI / PII / PCI) ☐ Confidential ☐ Internal ☐ Public
Spoofing threats
- Primary scenario: ______________________________
- Existing mitigation: ___________________________
- Residual risk (1-5): ____
Tampering threats
- Primary scenario: ______________________________
- Existing mitigation: ___________________________
- Residual risk (1-5): ____
Information disclosure threats
- Primary scenario: ______________________________
- Existing mitigation: ___________________________
- Residual risk (1-5): ____
Aggregate risk score: ____ / 15
Risk acceptance: Above 9 → don’t launch. 7-9 → launch with documented mitigation plan + 90-day review. Below 7 → launch.
Notes / open questions: _____________________
Sign-off: _____________________ Date: ___________
Three categories, one page, scored honestly. The model takes 30 minutes to fill in for a new system, surfaces the threats that matter, and gives leadership a defensible record of what was considered before launch.
What This Buys You
Two things.
First, the security program becomes legible. When a customer, an auditor, or a board member asks “how do you think about security?”, you have a structured answer that doesn’t hand-wave. The answer is “we threat-model every new system, here’s the template, here are the last six completed models.”
Second, the team stops doing security theater. No more two-hour threat-modeling sessions for a feature that ships in a week. No more 200-question threat assessments that nobody reads. One page, three categories, ship.
The first time the model surfaces a real risk, and it will, the model has paid for itself.