I can’t write a whole lot right now but your question is probably a bit too broad. Threat model needs to include the scope of what you’re protecting. For example, if you have some expensive heirloom watch, you might analyze how the threat changes if you’re home or wearing it out. Maybe lock your doors to your house is the first step. Second is keep it in a safe. Third is keep it in a larger safe bolted to the ground in a hidden area and make sure it can survive a fire and flood. Fourth might be buying an insurance policy in case something does happen. The model is continually evaluating risks vs mitigations to those risks.
From a digital perspective, you might consider how you get access to websites across the internet. Your email is a huge single point of failure. What if you lose access to your email? Because you forgot your password, or you were social engineered to click a bad link, or you shared the same password with another website that was compromised. Part of the challenge is having experienced or learned all the types of risks. And then the second half is understanding the mitigation options. For email, using a unique password and enabling 2-factor authentication (that is not SMS) mitigates a lot of possible threats, but not all.
You can learn quite a bit by just being familiar with types of scams and reading stories.
Cheers
I’m redoing everything I have from scratch. This week I have FreeIPA set up from OpenTofu + Ansible configs, and enrolls most of my other servers against FreeIPA. I am still migrating TrueNAS to use FreeIPA’s Kerberos Realm for auth, and I need to chown a lot of files for the new UIDs and GIDs homed in FreeIPA. After that, I’m setting up FreeRadius for auth to switches, APs, and Wifi. And then after that, I’m back to overhauling my k8s stack. I have Talos VMs running but didn’t finish patching in Cilium. And after the real fun begins.