Threat Modeling – Start using evil personas

30 Nov, 2020
Xebia Background Header Wave

Agile teams often use the concept of personas to create more tailored user stories, so could you use evil personas to describe malicious behavior?

Personas are “synthetic biographies of fictitious users of the future product” and “a powerful technique to describe the users and customers of a product in order to make the right product decisions“. The purpose of using personas is to “understand who the beneficiaries of the product are and what the goals they pursue”.

In essence, personas help teams understand if the designed functionality actually fits the end-user desires. This makes it a powerful approach to also identify possible risks by introducing malicious users or ‘evil personas’.

Hackers also use your systems!

Evil personas are essentially normal personas, but with opposite goals. Where normal personas describe the intended use of your applications and systems, evil personas want to wreak havoc or steal your data. Evil personas describe behavior you want to prevent from happening.

In normal life we would call evil personas “hackers”. However, hackers come in different flavors with different goals and ways of working. When you want to properly identify and address risks, it’s important to differentiate the various attacker types. Creating evil personas can help teams to quickly recognize different attackers and their possible impact on your system, without the necessity of being a security specialist.

When you want to start using evil personas, it’s important to know which attackers are relevant for your company. Security specialists can help with identifying relevant attacks and fine tune the motivations and resources. To create evil personas you use the same templates as for normal personas and there’s all sorts ranging from very basic to very fancy templates.

Evil persona examples

Common evil personas you can use to build your own personas on top of are the following:

Simon Scriptkiddie

Simon is just looking for 15 minutes of fame. Anything that will give at least the impression of a successful hack are interesting. Simon does not have a lot of requirements and uses whatever tools and tricks he can find on the internet.

Fred Fraudster

Fred is looking for ways to create money. Anything from free items to subscriptions are interesting as long as it can be sold for profit. Fred is usually part of an organized group and has decent resources in term of time and money. Fred usually tries to keep a low profile so he can abuse the same problem multiple times.

Peter Phisher

Peter is only interested in the personal information of your customers. The more, the better. Especially bank accounts, social security numbers, medical data, and copies of identification papers are thing he’s after. Peter focuses on any way to extract and collect this information out of your systems.

Carl Competitor

Carl is looking to get his hands on your intellectual property and your strategic plans. Carl is playing a long game and takes his time to enter your organization in any way possible without being detected.

Sam State

Sam’s goal is to influence countries and companies. He is looking for ways to gather information that allows him to do this over a longer period of time. His primary concern is being detected, so he will focus on ways to limit that possibility.

These five examples are off course very high-level and very generic. To get the most out of evil personas you should start creating your own! Be creative and describe the behavior you worry about.

Embrace evil personas

Evil personas are all hackers, but their different goals introduce different security risks and are not equally relevant for your company. Ask your security or risk department what their view is on the different personas and how relevant they think each is. Your security experts will also be able to help you fine tune the personas with relevant attack scenarios to think about. Once you have created your own set of evil personas it’s time to give them their own stories.

Prioritizing evil personas is part of a high level risk assessment. Introducing evil personas into refinement sessions, allows teams to identify possibilities for malicious behavior and quickly identify and address flaws in the design.

Note: our friendly competitors at created a cyberpunk art image library to give your personas a real cool image. Check it out at their github repo: !

Dave van Stein
Process hacker, compliance archeologist and anthropologist, ivory tower basher, DepSevOcs pragmatist, mapping enthousiast, complexity reducer, intention sketcher. LEGO® SERIOUS PLAY® Facilitator.

Get in touch with us to learn more about the subject and related solutions

Explore related posts