This guide is different

There is already plenty of cybersecurity advice on the Internet, but this advice is different.

This guide aims to explain what security actually means. It aims to give you a coherent mental model of security on the Internet.

These security to-do lists are unsatisfying

With mild frustration, a person grasps a speech bubble containing a giant exclamation mark. Behind them float two other speech bubbles, one with three exclamation points and one with the words 'Top 10.'
These security to-do lists are unsatisfying.

If you’re reading this because you’ve found most security advice unsatisfying, then you’re in good company.

As one of my favorite security researchers, Cormac Herley, puts it: most security guidance is “crushingly complex security advice that promises little and delivers less”(So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users, 2009)⁠. How? Cybersecurity advice often looks like this:

  1. Top 10 lists, with “quick tips” to make yourself safer—and each list is slightly different and never explains why their tips are the right ones to follow.
  2. Analyses of specific, interesting threats—which focus on hot new things and can miss more important, less newsworthy threats.

Advice like that simply gives you a bunch of homework. Lists like that don’t explain how likely any threats are, or how much damage these threats can do, or how they compare to other threats. They rarely consider the cost of prevention or the potential side effects of protecting against them.

They force you to do that.

Without context—without data—security advice is not science, it’s superstition! No wonder reading it feels so futile.

You shouldn’t have to learn about cybersecurity

Here’s the most annoying bit: as straightforwardly as I can put it, you’re probably already pretty safe today.

You’re protected by anti-fraud laws, by the hard work of engineers who think security should be automatic, and—to some unknown extent—by the random security advice you find on the Internet. If that weren’t true, you’d expect hacking to be a normal, everyday thing: you’d expect everyone to be frustrated about it (for example, as of this writing, everyone I know is bombarded with fake phone calls, and everyone’s complaining about it—that’s not happening with viruses).

So why learn about cybersecurity at all?

Besides, you don’t need a Ph.D. to keep your money safe at a bank. Why should you need one to keep your money safe online?

You should learn about cybersecurity because you want to understand. It’s the same reason you’d learn how an engine works: you can easily ask a mechanic for help when your car breaks, but it’s nice to understand the problem on your own.

Read this guide → get a good mental model

That’s why this guide is different.

It’s not a to-do list. It’s not a detailed look into extremely rare threats.

It’s an overview. It attempts to introduce you to cybersecurity in a concrete way, with evidence and proof that it covers everything. When something is unclear, we say it’s unclear.

But above all, this guide gives you the tools to understand security. In a way that works.

Cybersecurity educators often talk of mental models⁠(Wash, 2010; Mazurek et al., 2010)⁠: how you think of security in your own head. This guide aims to give you a “good” mental model of cybersecurity.

Because no matter little you “know” about cybersecurity, you still have a mental model for it. You use it to process those lists of cybersecurity advice and to understand those in-depth news reports about security breaches. You use your mental model to know what is safe and what to fear.

With a good model, you can separate reasonable fears from irrational ones.

If my guide cannot help you make a prediction—like how safe it is to download an app on public Wi-Fi—please let me know (with the survey at the bottom of every page), and I will improve it.

With that, a warning:

A warning

This content is targeted at most Internet users—people who bank & shop & use Facebook online.

If you fear censorship or your life may be at risk if you are hacked, it is reasonable to take other precautions.

Also, this content is provided “as is”, without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with this content or the use or other dealings in this content.

The caveat at the beginning

The warning above appears at the bottom of every page on this site. I am not a security professional; I am someone who studied the Internet and knows how the pieces fit together.

The Internet is dangerous, and it is foolish to advise otherwise, but the Internet is dangerous only in specific, well-understood ways. This guide aims to help you understand those ways.

At the very least, this guide will show you how security on the Internet works. Let’s begin!