Digital security in all its forms, whether focused on computer security, information security, or cyber security, has practices of modelling at its core. Over recent decades, the goals of security in a digital context have widened to cover not only the protection of data and computing resource but also the protection and enablement of people using technology. Alongside this, there has been a concomitant diversification of the types of modelling that are used in digital security. In recent years, modellers have faced significant epistemological challenges, with tensions between different interdisciplinary perspectives about what models and modelling ought to be, and difficulties adequately communicating the virtues of different kinds of models among modellers and stakeholders such as policymakers or users. In this paper, we present a framework grounded in philosophy and social theory for understanding the methodological diversity of security modelling today: the MORS grid. Using the MORS grid, modellers can locate their own work of modelling, and explore methodological variations and political implications. We argue that in a subject that is increasingly recognized as being composed of different disciplinary positions, such a grid not only enables modellers to locate their own approach but also to appreciate the modelling positions of others. The grid is composed of four simple binaries: whether the modeller is an expert or non-expert, whether the modelling enquiry is model-oriented or target-oriented, whether the referent object (what needs to be protected) is determined prior to or posterior to the task of modelling, and whether the analyst adopts the design stance or the intentional stance. The paper presents the MORS grid through three lines of thought: first, we unpack the theoretical basis for each distinction in existing literature in the philosophy of science, security studies, and philosophy of mind; second, we provide a historical review of security modelling, and examine which positions on the MORS grid have predominated, and why; third, we set out the implications for modellers, policymakers and other stakeholders.