Your Threat Model
Security without a threat model is just anxiety with extra steps.
01 Security Is a Set of Tradeoffs
Perfect security exists: power off your devices, seal them in concrete, move to a cabin. Total availability also exists: no passwords, everything public. Real life is the negotiated space between, and threat modeling is how you negotiate deliberately instead of by vibes.
Security educators — the EFF's Surveillance Self-Defense guide is the classic — boil it down to five questions:
- What am I protecting? Money, email, photos, identity, location, reputation.
- Who am I protecting it from? Random criminals? A data-hungry advertiser? A specific hostile person?
- How likely is each threat? Credential-stuffing bots probe your accounts daily. Nation-state spyware, statistically, does not.
- How bad are the consequences if I fail? An owned Spotify account is annoying. An owned email account is a life event.
- How much trouble am I willing to take? Honestly. A defense you abandon in a week protects nothing.
Write your answers down — three assets, two realistic adversaries, one honest effort budget. Every later module in this track is a menu, and this page of answers is how you order from it. Without it, security advice is an infinite guilt-generating to-do list. With it, most of the list visibly doesn't apply to you, and what remains is doable.
02 You Are Not Fighting the NSA
Threats sort into two very different animals. Opportunistic attacks are automated and aimed at everyone: credential stuffing against leaked passwords, mass phishing, malware sweeps hunting unpatched machines, romance-scam scripts running in parallel across thousands of targets. The attacker doesn't know you exist; you're a row in a spreadsheet. Targeted attacks are aimed at you specifically, by someone willing to spend time on you — which is rare and expensive, so it requires a reason: money, obsession, or what you know.
Almost everyone's real adversary is the opportunist, and that's genuinely good news, because opportunists are lazy by economic necessity. Their business model is volume; anyone who costs extra effort gets skipped, because the next thousand targets are free. Unique passwords plus MFA plus updates makes you cost extra effort. You don't need an unpickable lock — you need to not be the easiest house on the street.
The failure mode to avoid is inverted effort: agonizing over exotic threats (is my microphone spying on me?) while reusing one password across forty accounts. That's installing laser tripwires while leaving the key under the mat. Match the defense to the adversary you actually have.
03 Assets and Blast Radius
Not all your accounts are equal, and treating them equally wastes your effort budget. Rank by blast radius — how much damage spreads outward when the thing falls.
The undisputed number one is your primary email account. It's not one asset; it's the skeleton key to all the others, because nearly every "forgot password" flow on Earth resolves to it. An attacker holding your inbox can reset your bank, your socials, your shopping accounts, and read years of correspondence to fuel further fraud. Whatever your best security is, your email gets it first.
Next tier: financial accounts (direct money), your phone number (SIM-swapped numbers intercept verification codes — this is why your carrier account PIN matters), and cloud storage (your documents, your photo history, often your location history). Then identity data — the SSN-birthday-address bundle that enables loans in your name — which is a special case: you can't rotate it like a password, so the defense is downstream monitoring and credit freezes, covered in module five.
Then there's everything else — the forum logins, the pizza app, the newsletter accounts. Their job is to fail quietly: unique passwords so a breach there stays there, and nothing sensitive stored in them. You genuinely don't need to lose sleep over tier three. That's the point of tiering.
04 When the Stakes Are Higher
Some situations genuinely do change the math, and pretending otherwise would be malpractice. If any of these fit you or someone you help protect, the standard playbook needs upgrades:
- Journalists and activists can face resourced, motivated adversaries — including, in serious cases, commercial spyware. The general playbook still applies but isn't sufficient; specialized resources exist (the EFF's Surveillance Self-Defense, Access Now's digital security helpline, Freedom of the Press Foundation guides) and are written exactly for this.
- Domestic abuse survivors face the hardest threat model in consumer security: an adversary who has had physical access to your devices, knows your mother's maiden name and first pet, and may have installed monitoring apps or shared-account access. Standard advice like "enable account recovery via trusted contact" can actively backfire here. Specialized help exists — in the US, the National Network to End Domestic Violence runs a Safety Net project on tech safety. Move carefully: visible security changes can escalate an abuser. Safety planning comes first.
- People with money visibly attached to their identity — crypto holders who post about it, executives with wire authority, seniors with retirement savings on file — attract targeted versions of normally opportunistic scams.
05 Pick Your Battles: The 20 Percent That Does 80 Percent
Here's the whole track in preview form — the short list that, for a normal person's threat model, delivers the overwhelming majority of available protection:
- A password manager generating a unique password for every account (module two).
- MFA on the accounts that matter, best-available flavor — passkeys or hardware keys where offered (module two).
- Automatic updates, everywhere — OS, browser, phone, router (module three).
- A hardened recovery path — your email locked tightest of all, recovery codes saved, carrier PIN set (module two).
- The verification reflex — unexpected request for money or codes means stop, and re-contact through a channel you chose (module five).
Notice what's absent. No burner phones. No exotic operating systems. No 40-step privacy regimen. Those tools exist and have real users with real threat models — but for beating opportunists, the boring five above are the payload, and everything else is garnish.
One more principle before you proceed: sustainable beats maximal. The perfect setup you abandon in three weeks loses to the decent setup you keep for a decade. Pick defenses that survive contact with your actual life — because security isn't an event you complete, it's a posture you maintain, and postures only hold if they're comfortable enough to live in.
⌘ Field Glossary
- Threat model
- A deliberate assessment of what you're protecting, from whom, how likely each threat is, and what failure costs — the filter that turns security advice into a short list.
- Opportunistic attack
- Automated, mass-scale attacks aimed at whoever is easiest — credential stuffing, mass phishing, malware sweeps. The realistic adversary for most people.
- Targeted attack
- An attack aimed at a specific person by an adversary willing to invest time and research. Rare and expensive, so it requires a motive: money, obsession, or access.
- Blast radius
- How far damage spreads when an account or device is compromised. Your email has the largest blast radius because password resets flow through it.
- Attack surface
- The sum of points where an attacker could get in: accounts, devices, apps, browser extensions, and habits. Smaller surface, fewer chances.
- Safety planning
- In high-risk situations like domestic abuse, sequencing security changes carefully — with specialist support — so that defensive moves don't trigger escalation.
Knowledge Check
Field Assessment
01 Why is 'beat the opportunists, not the NSA' sound strategy for most people?
02 Which asset should get your strongest protection first, and why?
03 Why does standard security advice need modification for domestic abuse survivors?