Threat Modeling for Normal People

Most security advice is calibrated for the wrong audience. Either it assumes you are a journalist working in an authoritarian country, or it assumes you are a corporate IT department. If you are neither, it leaves you over-paranoid and under-defended.

The honest threat model for the average internet user looks like this: a phishing email succeeds, a password gets reused on a site that gets breached, a phone gets stolen at a cafe. None of these involve sophisticated adversaries. All of them involve mundane carelessness.

The Four Things That Actually Matter

1. Use a password manager. Bitwarden, 1Password, take your pick. The single highest-leverage security investment you will ever make. Stop reusing passwords.

2. Turn on two-factor authentication on email. Your email is the recovery vector for almost everything else. If your email is compromised, everything else is too. App-based 2FA, not SMS.

3. Encrypt your phone's storage. It is on by default on modern iPhones and Android devices. Make sure it is on. Set a long passcode, not a 4-digit PIN.

4. Be skeptical of urgency. Almost every successful phishing attack relies on getting you to act quickly. The bank does not need you to verify your account in 30 seconds. Slow down.

That is most of it. The rest is detail.