How to stay safe

It’s clear from the main guide that hackers target everyone who can make them money. It’s also clear that we don’t have a good overall view of all the ways they target us.

That being said, you are not powerless.

We might not know have a complete list of threats, but we know a lot about the big ones. Despite the holes in our data, it is still possible to find good (if incomplete) security advice⁠(Landwehr, 2012, p. 4)⁠.

Here’s some advice—advice to take and advice to avoid—that I’ve found while researching this guide.

Rules for good advice

There’s lots of security advice out there, so before piling on more, I want to offer some tips for reading it.

The easiest thing to do? Look for scientific advice—advice with clear context, measurements, and expected impact. Most security advice offers none of that⁠(Herley, 2014, sec. 2.2; Wash, 2010, p. 12; Herley, 2009; Florêncio & Herley, 2010)⁠, even if it’s written with the same authoritative “scientific tone.”

I’ve found a few easy indicators of good, scientific advice:

• Good advice will focus on outcomes. What does this advice protect you against? How much protection does it give you?

• Good advice will state its assumptions. Does this advice protect the things you care about? Does it expect your attackers can’t harass you in person?

• Good advice won’t claim to be complete (or it won’t claim that it’s all necessary). Would you wear a bullet-proof vest to work? It might make your defense against bullets more complete, but I doubt you find that necessary.

The advice here tries to do all these things. It tries to focus on outcomes and state its assumptions, and it’s certainly not complete. But hopefully, you find it helps anyway.

Advice to take

1. Turn on two-factor authentication on your key accounts (at least on your email and financial accounts)—it’s way more important than a good password.
2. Freeze your credit at the 3 largest credit bureaus.
3. Pay for and use automatic backup software.
4. Turn on automatic updates on your devices.

Advice to avoid

1. Don’t worry about password strength that much.
2. Don’t pay money for antivirus software.
3. Don’t use or pay money for a VPN.

What?!

Some of this advice directly contradicts what you may have heard before.

Security advice is hard to give. A lot of it comes from honest guesswork (and other, less honest places, too), but very little comes from real data. Most recommendations are untested theory at best—and random guesses at worst⁠(Herley & Oorschot, 2017; Florêncio & Herley, 2010)⁠. And, since the advice generally comes from theory or guesswork, not data, it’s hard (if not impossible⁠(Herley, 2016)⁠) to know what advice is useful.

How could you verify that, say, keeping your computer up-to-date is protecting you?

So our advice creeps up—and then lingers. Without data about outcomes (how does a recommendation make things better or worse?) or assumptions (who does this recommendation help?), you can only filter all that advice by what you already know. That’s why the main guide focuses on higher-level questions, instead of the threats themselves. That high level helps you triage threats.

Advice that’s really a guess can hurt people

Security advice without data is just a guess—and guesses can easily be wrong or miss important threats.

For example, Speak Up & Stay Safe(r), a guide written by actual victims of online abuse, includes “Remove potential doxxing information” as its 3rd-most-important step⁠(Friedman et al., 2015)⁠. Doxxing is a real, physical threat—people have died because of doxxing and swatting⁠(“Swatting,” 2022; “Doxing,” 2022)⁠.

I have never seen this advice anywhere else. If a harassment victim didn’t know about the Speak Up guide specifically, they might never think to protect against this tangible threat. And they’d never know they were missing that advice—because the easy-to-find guides don’t acknowledge that they’re just guesses.

Security advice may be bad, but it’s not a lie

But that doesn’t mean security advice is useless.

Even without complete data, you can probably make pretty good guesses about your biggest security threats. After all, you probably don’t need data to wear a seat belt. Similarly, sometimes the experts are right, too (but a seat belt salesperson should probably offer some data). Guesses—from novices or experts—will definitely miss things, and guesses will definitely get things wrong.

But when you hear some new advice, thinking about what would make it scientific can help:

• What outcomes might it have? How common are those outcomes?
• What does it assume about you and your threats?
• What’s it missing, or why does it claim to be complete?

Even the most crazy guess can have truth in it, somewhere. From my atypical advice to a top 10 list on Buzzfeed.

You can find value in most advice, anywhere. But you’ll have to determine its value on your own. Hope this helps.