Now that we've explored how common traffic flows through the Internet and

the kinds of information attached to that traffic,

we can make some informed decisions about our online activity.

One way to establish some secure practices is to create what's called a threat model.

This is a defensive framework used by security professionals in many industries.

But don't let that intimidate you.

It's really just thinking through behaviors and

attitudes that you already do on a daily basis.

First, let's establish some threat model basics.

Creating a thought model is asking yourself a set of questions.

Who would be most likely to target me?

A repressive government, organized crime, corporations, my ex, my coworkers.

How much money, time, and

skill do they have to dedicate to target me, an important aspect of this activity.

What would they most likely want from me?

Money, incriminating information, access to trusted contacts.

How much effort am I willing to put into protecting it?

Is this worth the effort?

What would happen to me if they were successful?

It's all about being prepared.

Number 1 is about identifying the actors in the model.

Number 2 is about identifying the risks in the model.

Number 3 is about identifying the assets in the model.

Number 4 is about prioritizing your concerns with mitigations.

Number 5 is about planning for breach.

As I mentioned earlier, most of these really are questions you've

already asked yourself in some form or another.

This process is just collecting them together for risk analysis.

Consider when you leave your home in the morning to go to work or school.

Do you lock your door?

You've likely decided that the effort to lock the door is worth protecting the risk

for a burglary through the door.

You've identified the actors as burglar, but the front door provides

a vulnerability or risk that your valuable possessions are the assets.

You've established the lock as a risk mitigation strategy.

And you'll likely have an understanding that you can call the police

should you find out that you've been breached and had your things stolen.

An important aspect of this is to point out that there is no

one mitigation strategy that can protect against all risks.

You choose the ones that fit the task best.

For example, that lock on the door may keep out a casual burglar, but

not a dedicated one that chooses to break a window.

So now you add some bars on your windows.

Well locks and bars do nothing to protect those same assets against a fire.

Of course, the most convenient thing would be to not have to lock your door at all.

But as always, it's a trade off between security and convenience.

Your online security can gain a lot from the same threat model treatment.

And, in fact, you're already doing this as well.

The fact that you use a password to protect an account is a mitigation itself.

It's also pretty analogous to the door lock.

If you use the same key for your door as your dead bolt and

back door, you'll have to change every lock even if you lose one key.

By viewing your own online activity through the lens of a threat model,

you can really identify your own threats and

prioritize the effort you want to make to help protect yourself.

In the next stages, we'll dive deep into other actors and risks and

offer some solid mitigations so you're prepared.