Will I even be hacked?

From the last section, you know that security is about protecting your data’s confidentiality, integrity, and availability.

But… do you even have anything worth securing?

A guard with an earpiece and dark sunglasses stands outside a heavy barbed wire fence. Within the fence is a jar of cookies.
Is the stuff you have even worth securing?

Each layer of security you use has different tradeoffs—and each layer usually makes it harder for you to get your data. After all, you could keep everything you own in a bank vault and it might theoretically be “safe”, but what’s the point? It’s incredibly inconvenient, and hackers don’t want your old cookie recipes.

Or do they?

The quick answer

Hackers want money. You’re probably a target: if you can make them money, they’ll target you.

We’ll dive into it, but that’s the short answer.

But that’s not the whole answer. You may be a target, but hackers aren’t focused on you specifically. They are professionals, and they need to make as much money as they can as quickly as they can. They probably aren’t interested in your cookie recipes (or even your sexy photos) directly—those don’t make them money quickly. They don’t have the time to waste on you individually.

Also, that focus on money is helpful to you in another way: it’s hard to lose money to online theft. Even if everything goes right for hackers, federal law (at least in the US) can often protect you—and you can get your money back.

There’s also a different sort of hacker: a targeted hacker.

If you have an abusive ex, if you are a political dissident, or if you are an important CEO, for example, you may need to think about someone targeting you directly.

We’ll investigate all of this below.

This is two questions in one

There are really two questions here:

  1. What do you want to protect, personally—regardless of external threat?
  2. What do hackers want to steal—regardless of how important that information is to you?

Your answer to the first question is entirely personal—based on what’s important to you—whereas the answer to the second is empirical. But both questions are important.

After all, protecting what’s important to you—in addition to what’s important to the hackers—can give you valuable piece of mind. Being safe is about feeling safe, too.

First, what do you want to protect?

First, spend some time understanding what’s important to you—what you want to protect.

I’ve found that most people worry about similar things⁠(Wash, 2010; Oliver Lewis & Susannah Fox, 2001)⁠:

Security advice can be very abstract and hoity-toity. It’s hard to tell, when you read things like “how to choose a good password”, if the advice neglects protecting something important to you.

Think about what’s important to you, and what aspects of security you need for that stuff (from the CIA triad in the last section).

You may discover important stuff you didn’t protect, or you may realize that you were protecting some stuff the wrong way.

That’s more valuable than any generic security advice.

Second, what do hackers want to steal?

Now comes the second question. What do they want from you?

Most hackers want your money. They don’t care about your Netflix password, your home address, your phone number, or your family photos—unless those things can easily make them money.

Some hackers target specific people—abusive ex-boyfriends might stalk their partners, corrupt governments might track dissidents, or corporations might try to steal from competitors.

But that second group is much rarer—you probably know if you are at risk. Consider that the Pew Research Center found almost 100% of Americans have had an account breached⁠(Olmstead & Smith, 2017) (and nearly 1 in 2 Americans had their Social Security Numbers stolen in the 2017 Equifax data breach⁠(“Equifax Data Breach Settlement,” 2019)⁠), but targeted attacks are rare enough they often make the news.

Let’s investigate the first group of hackers first.

When you’re not targeted specifically, you’re targeted for money

The most common type of hacker (by volume) is looking for money—easy money.

Every year, Verizon publishes the Data Breach Investigations Report (DBIR), a report that examines tens of thousands of data breaches & incidents across companies around the world. And every year, it’s clear: almost all corporate data breaches are financially-motivated.

Specifically, Verizon found⁠(2018 Data Breach Investigations Report, 2018, p. 5)⁠:

The masked hackers targeting you want money, or information they can sell to make money. The hackers, as the DBIR puts it, hack for “money, loot, cash, filthy lucre, greed… get the idea?” They don’t care about your cookie recipes. They don’t care about your sensitive pictures. They don’t care about anything you care about… unless it can make them money. Quickly.

Hackers need easy money

This leads to a key insight about most hacking: hackers don’t want to invest time hacking you or monetizing your data.

In fact, they really can’t. Payoffs are low, so hackers have to steal a lot of data to make it worth their while. Cybercrime is, in some sense, a business; if it takes 15 minutes to steal a Netflix account that they can resell for $1⁠(Symantec, 2019, p. 56)⁠, it makes more sense to get a job at Taco Bell (though the wages at Taco Bell in some countries are much lower).

You can use this as a good rule of thumb: financial constraints explain most types of hacking. Just thinking about the attacks I’ve seen recently:

Stealing money isn’t as easy as it looks

And this is why the truth—that hackers target everyone—is far less scary than it could be. It’s really hard to steal money, even digitally.

US law limits your liability for digital fraud—to an absolute maximum of $50 in many cases—and most banks & credit cards will reimburse your losses completely in most cases. After all, crime is bad for business: the safer you feel, the more likely you are to give your money to them.

Banks lost over $38 million in 2011 to physical theft, but you didn’t hear about it—they wrote it off and paid you back⁠(Bank Crime Statistics (BCS) 2011 Federally Insured Financial Institutions January 1, 2011 – December 31, 2011, 2012)⁠.

It’s the same for credit cards. Across several surveys, 80-88% of credit card fraud victims lost nothing at all, and 97% lost less than $1000⁠(Synovate, 2007, pp. 37-38; Harrell, 2019, p. 1; Harrell, 2021, p. 9). Surveys like this are notorious for exaggerating costs⁠(Arief & Adzmi, 2015, p. 84; Anderson et al., 2013, p. 265), so these numbers are eye-opening.

It’s still possible to lose time and money resolving fraud—although 69% of folks who discovered fraud within 6 months spent less than 10 hours resolving it, many of the remaining cases took months to resolve, or more⁠(Synovate, 2007, pp. 38-40; Harrell, 2021, p. 12)⁠.

But altogether, the system protects you. We know that hackers want money, and we’ve designed our laws to stop that.

If you know you are a target, things get hazy

All of this information centered around one assumption: you are not being targeted specifically. We talked about the first type of hackers—the ones who want your money—so let’s discuss the second type—the ones who target specific people.

Typical hackers just want your money, but a hacker with a grudge or a personal connection—a jealous ex, an angry boss, a distrustful parent, an oppressive regime you fight against, or even a friend playing a prank—has a different goal.

In this scenario you are a specific, isolated target. The hackers have the time to break in and they want to break in. These people may know your secrets, may have physical access to your devices, and may even know your passwords.

This is absolutely terrifying, and I will put it clearly:

How common is this? Unfortunately, there is very little aggregate data about this type of hacking. It’s not clear how often folks are targeted by a determined attacker (or even by friends who want to posts embarrassing tweets on your account).

Cyber-stalking, for example

I investigated cyber-stalking as a stand-in for these types of attacks. From what I read, I am confident that cyber-stalking is very common in abusive relationships(Freed et al., 2018)⁠. There are many tools that make these attacks easy.

However, this data is preliminary⁠(Logan, 2010)⁠ and is hard to generalize towards other attacks.

Targeted hacking is probably rare

In that case, why am I optimistic about security? Two reasons:

  1. Most people should never have to worry about something like this.
  2. I think the advice in this guide serves as a good baseline for protecting yourself against these threats.

Perhaps “milder” targeted attacks are common. For example, it’s easy to imagine an employer Facebook stalking you, or even some roommates guessing your password to send embarrassing texts to your crush. But I imagine that you are much less worried about these attacks than you are about losing your money.

If you do not know of anyone who would want to hurt you, you should not need to worry about targeted attacks. But if you do, or if you are concerned about these “milder” attacks, it is reasonable to take other precautions.

Summary

In short:

Also:

The data indicates straightforward ways to stay safe (some not related to cybersecurity at all!), but in order to understand why, you need to understand how you will be hacked.