Threat Modeling for Normal People

There's a concept called "Threat Modeling" that's used a lot in Information Technology (IT), but it's a useful thought exercise for day to day life, particularly when you think about computer security.

Here's the simple version: try to think about all of the different people who might try to come after you online. Think about how they might attack most effectively. Then, worry about those things. Stop worrying (or worry a lot less) about attacks that won't happen to you.

Why do this? Because your time and energy is limited, and a lot of the security advice that you'll see is targeted at people with a completely different threat model. A journalist has to talk to a lot of people, and makes a lot of enemies, but has to keep their sources safe. A soldier is a target because of who he is, but doesn't need to talk to strangers online. And so on. You don't have those problems, so products that are targeted at journalists or soldiers or freedom fighters are probably a bad fit for you and your life.

What does your home threat model look like? (Keep in mind that your work threat model WILL be different.)

Threats:

• Just by virtue of being able to afford a computer and an internet connection, you have some money or credit and resources. That means that there are thousands of scammers out there who would gladly take that from you, but it's not personal. Perhaps they'll appeal to your desire to do the right thing and pretend to be from the IRS or your bank. Perhaps they'll appeal to your technical ignorance by pretending to be from Microsoft or your ISP. Perhaps they'll appeal to your own hopes and greed by telling you that you've won the lottery or they're looking for an innocent stranger to help them transfer some money. While most people out there are probably good, they're not the ones who contact strangers out of the blue. When you get a call or a message from a stranger, it's probably a scam.
• You might also have an ex-wife/husband/employee/whatever who bears a particularly personal resentment, and you should think about how far they'd be willing to go to carry it out. Do they have time or money that they're willing to spend to make your life miserable?
• The people who we care about are also vulnerabilities. There's a common scam out there where people call old people and say, "Grandma? I'm in trouble and need money right away!" It's hard to identify voices on the phone, and before you know it, Grandma is wiring thousands of dollars to an account in the Cayman islands.

It's also worth thinking a little bit about the threats that you DON'T have:

• Unless you're famous or you work for the government (or work for a government contractor), you probably DON'T have to worry about foreign governments coming after you, personally.
• So long as you keep work and your personal life separate, any work threats probably won't follow you home.
• Your own government might be monitoring in some abstract way, but they're probably not targeting you specifically. 
• You probably don't have a wealthy or well-connected nemesis who can frame you for crimes or send agents into your home.
• You're probably not breaking the law in a big way. You probably don't need to worry too much about a burly guy with a baseball bat showing up at the door demanding money. You can call the police if you're the victim of a crime.

So, what does this tell you about where you're vulnerable?

• You have to worry about malware (viruses, ransomware, etc.) that you get from email or from browsing the web. That stuff's incredibly cheap and easy to send, so the scammers send it to everyone.
• ANY online account that you have is going to be attacked A LOT. You should just assume that, at some point, someone will succeed and break in to one of your accounts.
• If you DON'T have a crazy ex and you live by yourself (or with family you can trust implicitly) your desk at home is a pretty safe place. The locked drawer on your desk is even more safe. (Yes, a secret agent could pick that lock in seconds, but if you need to seriously worry about people breaking into your home and picking your desk lock, you have a different threat model.)
• Your cell phone number is pretty safe, but not perfectly safe. It's surprisingly easy to convince the phone company that you're somebody else, and you want to transfer your number.
• Things break and people lose things. At some point, your cell phone or your wallet is going to disappear.

So, what do you do about it?

• Anything that sounds too good to be true probably is, even if (or maybe especially if) you hear it from one of your friends. Pyramid schemes have been around for a long time, and they're not going away soon. If you win the lottery or owe money to the IRS, you're not going to hear about it in email or over the phone.
• You need a way to keep malware out of your computer. Some devices, like iPhones and Chromebooks, are built from the ground up to be pretty good at this. Everything else needs Antivirus (or better but more complicated solutions like application whitelisting or multiple accounts with different priviledges.)
• Use as much security as you can with your online accounts. You should use a different password for every service. Long passwords are good. Consider using a password manager like LastPass to generate and keep track of them all. If that's too complicated, write down all of your passwords in a notebook that you keep in a locked desk drawer. It's almost certainly more secure than re-using a weak password that's easy to remember. People used to recommend using easy-to-remember passwords and never writing them down. They were repeating the advice that was given to them as students (who usually don't have a physically secure place to store passwords). In other words, wrong threat model.
• If you don't have a secure place to store passwords (perhaps because your crazy ex knows how to break in to your house), think about storing your passwords on your locked phone.
• Use two-factor authentication or out-of-band authentication whenever possible. What's that? That's when, in addition to your password, you need to use a key or a code that you get from somewhere else. For example, when you log in to your bank's website, perhaps they'll send a code to your phone as a text message, and then the web site will ask you to enter that code. That proves that you have your phone. This isn't perfect, but it means that anyone who comes after you has to both get your password and steal your phone or phone number. Google Authenticator and Yubikey are even better solutions, though they're not as widely supported.
• Make backups. If you have a smartphone, use the built-in backup features to ensure that your data's safe even if the phone's lost. Every now and then, print off a paper copy of your contact list.
• Think about what you'd do if your cell phone or wallet was lost. Write down the contact information for your cell phone company along with your phone number, account number, and any security codes that they use and store that information somewhere safe. Do the same for each of the cards in your wallet.
• Use a passcode, or better yet, a password on your phone. That way, if someone finds it, they won't be able to read your email, and it will be harder to steal the phone to use for themselves.

When you hear about any product that claims to help your security, go through this process. What does the product help with? Is that a realistic problem for you? If not, don't bother. There are lots of things out there (like VPN software) that are great for some cases, but completely useless for most others. Don't make your life more complicated than necessary.