Threat modeling [security.102.0]

by | Jul 15, 2022 | 1 comment

Welcome to the first lesson of Block 2! It’s an important one – we’ll look at an overview of the theory underlying information security and cover several additional ways to protect your data.

Risk and reward

In Block 1, you learned how 2FA, security keys, and a keen eye for URLs can keep you safe from bad guys. While phishing attacks are the most common threat you’ll face, they’re far from the only one. We can think about threats on two axes — severity and probability.

High-severity, frequent risks are the worst combination of these two factors. In those cases, one should actively do what they can to avoid those threats. For example, car accidents are very common and very severe. As a result, we wear seatbelts. The third important factor not on the chart is feasibility. Clicking in your seat belt is fast and easy, but most infosec risks aren’t this easy to solve.

It’s possible to use expensive hardware, specialist software, and complex operational procedures to try to avoid every form of surveillance on the planet. This is, of course, extremely difficult and expensive. Moreover, powerful attackers like three-letter agencies employ teams of specialists, empowered by the law to do just about anything they want — you can’t really compete with that as an individual.

Like many things, avoiding the watchful eye of cops or the feds is a spectrum. The effort of totally avoiding the feds is very high to the extent it’s possible at all, and most people simply have a very low probability of being targeted by the highest levels of three-letter agencies. As leftists, however, we’re at a higher risk of an attack than an average person might be from many groups that aren’t the highest levels of three letter agencies (I think you have more to worry about your local police than the NSA).

The balance between security, cost, and convenience is a recurring theme in this guide and all security conversations. Only you can decide what risks you are willing to take, and what risk mitigations are worth taking.

Luckily, there are several low-cost and low-effort changes we can make to protect ourselves against anyone. We’ll start Block 2 covering one of the key concepts behind all of these changes — encryption.

The above content is part of a course on If you login, you’ll see quizzes and links to other lessons in the course.