There are always too many people to thank, and I will certainly miss some.

Thank you Mom, Yennie Jun, Sophie Rooks, Michael Whitesides, and everyone else who listened to me ramble about security.

Special thanks to Cormac Herley and Deepak Kumar for answering my many questions. All wisdom is theirs, all inaccuracies are mine alone.

Complete references & bibliography

  1. Yudkowsky, E. S. (2005). A Technical Explanation of Technical Explanation. Rational.

  2. Herley, C. (2009). So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. 12.

  3. Pollard, B. (2018). What does the Green Padlock Really Mean? TuneTheWeb.

  4. Hammond, S. (2021). Bruce Schneier: We Are Asking the Wrong Cybersecurity Questions | CDOTrends.

  5. Mazurek, M. L., Arsenault, J. P., Bresee, J., Gupta, N., Ion, I., Johns, C., Lee, D., Liang, Y., Olsen, J., Salmon, B., & others. (2010). Access control for home data sharing: Attitudes, needs and practices. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 645–654.

  6. Mark Dowd, John McDonald, & Justin Schuh. (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (1st edition, Vol. 1). Addison-Wesley Professional.

  7. Information security. (2022). In Wikipedia.

  8. Wash, R. (2010). Folk models of home computer security. Proceedings of the Sixth Symposium on Usable Privacy and Security - SOUPS ’10, 1.

  9. Oliver Lewis, & Susannah Fox. (2001). Fear of Online Crime. Pew Research Center.

  10. Verizon Enterprise. (2018). 2018 Data Breach Investigations Report (No.11; Number 11).

  11. Symantec. (2019). Internet Security Threat Report (No.24; Number 24).

  12. Olmstead, K., & Smith, A. (2017). Americans and Cybersecurity. Pew Research Center, 26(311), 43.

  13. Equifax Data Breach Settlement. (2019). In Federal Trade Commission.

  14. Rob Thomas, & Jerry Martin. (2006). The Underground Economy: Priceless. ;Login: 31(6).

  15. Florencio, D., & Herley, C. (2012). Is Everything We Know About Password-Stealing Wrong? IEEE Security & Privacy Magazine.

  16. Troy Hunt. Have I Been Pwned: Check if your email has been compromised in a data breach. Retrieved May 25, 2020, from

  17. Synovate. (2007). Federal Trade Commission – 2006 Identity Theft Survey Report.

  18. Harrell, E. (2019). Victims of Identity Theft, 2016 (p. 29). Bureau of Justice Statistics.

  19. Harrell, E. (2021). Victims of Identity Theft, 2018 (NCJ 256085; Number NCJ 256085). Bureau of Justice Statistics.

  20. Bank Crime Statistics (BCS) 2011 Federally Insured Financial Institutions January 1, 2011 – December 31, 2011. (2012). [Page]. Federal Bureau of Investigation.

  21. Freed, D., Palmer, J., Minchala, D., Levy, K., Ristenpart, T., & Dell, N. (2018). “A Stalker’s Paradise”: How Intimate Partner Abusers Exploit Technology. Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18, 1–13.

  22. Logan, T. K. (2010). Research on partner stalking: Putting the pieces together. Lexington, KY: University of Kentucky, Department of Behavioral Science & Center on Drug and Alcohol Research.

  23. Arief, B., & Adzmi, M. A. B. (2015). Understanding cybercrime from its stakeholders’ perspectives: Part 2 – defenders and victims. IEEE Security & Privacy, 13(2), 84–88.

  24. Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J. G., Levi, M., Moore, T., & Savage, S. (2013). Measuring the Cost of Cybercrime. In R. Böhme (Ed.), The Economics of Information Security and Privacy (pp. 265–300). Springer Berlin Heidelberg.

  25. Actions. Retrieved July 4, 2019, from

  26. Norman, D. A. (2002). The design of everyday things (1st Basic paperback). Basic Books.

  27. Herley, C., & van Oorschot, P. C. (2018). Science of Security: Combining Theory and Measurement to Reflect the Observable. IEEE Security & Privacy, 16(1), 12–22.

  28. Herley, C. (2016). Unfalsifiability of security claims. Proceedings of the National Academy of Sciences, 113(23), 6415–6420.

  29. Goyal, N. (2019). Your password doesn’t matter—but MFA does!

  30. Weinert, A. (2019). Your Pa$$word doesn’t matter.

  31. Weinert, A. (2019). All your creds are belong to us!

  32. A NortonLifeLock employee. The risks of public Wi-Fi. Retrieved June 14, 2020, from

  33. Greenberg, A. (2012). Yes, People Actually Post Pictures Of Their Credit Cards Online. This Twitter Account Was Created To Shame Them. In Forbes.

  34. Mickens, J. (2014). This World of Ours. ;Login: January 2014, 8–11.

  35. Landwehr, C. E. (2012). Cybersecurity: From engineering to science. The Next Wave, 19(2), 2–5.

  36. Herley, C., & Oorschot, P. C. van. (2017). SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit. 2017 IEEE Symposium on Security and Privacy (SP), 99–120.

  37. Herley, C. (2014). More Is Not the Answer. IEEE Security & Privacy, 12(1), 14–19.

  38. Florêncio, D., & Herley, C. (2010). Where do security policies come from? Proceedings of the Sixth Symposium on Usable Privacy and Security - SOUPS ’10.

  39. Friedman, J., Sarkeesian, A., & Bracey Sherman, R. (2015). Speak Up & Stay Safe(r): – A Guide to Protecting Yourself From Online Harassment.

  40. Doxing. (2022). In Wikipedia.

  41. Swatting. (2022). In Wikipedia.

  42. Dox. In Merriam-Webster ( Dictionary). Retrieved December 5, 2022, from

  43. Johansen, A. G. (2020). What Is A Computer Virus?

  44. Rubenking, N. J. (2022). 7 Signs You Have Malware and How to Get Rid of It.

  45. Whitmore, C. (2022). What are the signs I have malware?

  46. Granneman, S. (2004). Infected in 20 minutes.

  47. Ullrich, J. B., Fendley, S., Hale, D., Sachs, M., & Smith, D. (2003). Windows XP: Surviving the First Day. SANS Institute Internet Storm Center.

  48. OgdruJahad. (2018). I remember hearing about windows XP getting infected within minutes of being connected to the Internet, how true is this? What conditions are required. I’m assuming the computer has service pack 3.

  49. Ullrich, J. B. (2003). Windows XP: Surviving the first day [E-mail].

  50. Fendley, S. (2005). Reader’s Diary and Update of Windows XP: Surviving the First Day.

  51. Anderson, B. (2018). Why Windows Defender Antivirus is the most deployed in the enterprise.

  52. Batchelder, D., Blackbird, J., Henry, P., Iyer, S., Jones, J., Kulkarni, A., Lauricella, M., Ng, N., O’Sullivan, N., Pecelj, D., Penta, A., Pope, S., Rains, T., Stewart, J., Stewart, H., Thompson, T., Zink, T., & McDonald, G. (2014). Microsoft Security Intelligence Report - Volume 17 (No.17; Number 17). Microsoft.

  53. Avena, E., Capriotti, R., Dong, Z., Douglas, E., Duncan, M., Duncan, M., Fender, S., Ferrer, M., Ferrer, Z., Florio, E., Fouda, A., Ganacharya, T., Gowrishankar, R., Gradascevic, H., Grebennikov, V., Rao, V. G., Hallum, C., Henry, P., Higgs, S., … Yim, J. (2017). Microsoft Security Intelligence Report Volume 22 (No.22; Number 22). Microsoft.

  54. Symantec. (2019). Internet Security Threat Report (No.24; Number 24).

  55. Agrawal, A., Fantham, D., Ghosh, D., Kelley, D., Florio, E., Avena, E., Douglas, E., Tan Seng, E., Trull, J., Borenstein, J., Selvaraj, K., Kaplinska, K., Laidler, K., Duncan, M., Simos, M., Henry, P., Pandey, P., Pliskin, R., McGee, R., … Zohar, Y. (2019). Microsoft Security Intelligence Report Volume 24 (No.24; Number 24). Microsoft.

  56. Vergelis, M., Shcherbakova, T., & Sidorina, T. (2019). Spam and phishing in Q1 2019.

  57. Lévesque, F. L., Fernandez, J., Young, G., & Batchelder, D. (2016, October 5). Are They Real? Real-Life Comparative Tests of Anti-Virus Products.

  58. Maimon, D. (2019). Existing Evidence for the Effectiveness of Antivirus in Preventing Cyber Crime Incidents. EBCS Tools, 6.

  59. Levesque, F. L., Somayaji, A., Batchelder, D., & Fernandez, J. M. (2015). Measuring the health of antivirus ecosystems. 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), 101–109.

  60. Lalonde Levesque, F., Nsiempba, J., Fernandez, J. M., Chiasson, S., & Somayaji, A. (2013). A clinical study of risk factors related to malware infections. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security - CCS ’13, 97–108.

  61. Test antivirus software for Windows 10 - December 2022. Retrieved March 5, 2023, from

  62. Kaspersky Security Bulletin 2021 Statistics. (2021). Kaspersky.

  63. Kaspersky Security Bulletin 2022 Statistics. (2022). Kaspersky.

  64. Kaspersky Security Bulletin: Overall Statistics for 2017. (2017).

  65. Garnaeva, M., Chebyshev, V., Makrushin, D., Unuchek, R., & Ivanov, A. (2014). Kaspersky Security Bulletin 2014 Overall statistics for 2014. Kaspersky.

  66. Anthe, C., Ben Zvi, N., Chrzan, P., Egilmez, B., Florio, E., Foster, C., Grimes, R., Henry, P., Jester, B., Jones, J., Kaufman, D., Kladakis, N., Kondratyuk, D., Lelli, A., McDonald, G., McLaughlin, M., Ng, N., O’Sullivan, N., Pecelj, D., … Zink, T. (2015). Microsoft Security Intelligence Report Volume 20 (No.20; Number 20). Microsoft.

  67. Shishkova, T. (2021). IT threat evolution in Q3 2021. Mobile statistics.

  68. Barrett, D. (2016). FBI Paid More Than $1 Million to Hack San Bernardino iPhone. Wall Street Journal.

  69. IT threat evolution in Q3 2021. PC statistics. (2021).

  70. Malware Statistics & Trends Report. Retrieved March 6, 2023, from

  71. Malware & PUA. (2023).

  72. Kaspersky bans and allegations of Russian government ties. (2023). In Wikipedia.

  73. Osborne, C. (2022). Decade-old bugs discovered in Avast, AVG antivirus software.

  74. Tavis, O. (2016). Project Zero: How to Compromise the Enterprise Endpoint.

  75. Spadafora, A. (2023). Which Antivirus Software Has the Least System Impact?,review-6276.html

  76. Performance Test: Impact of Consumer Security Software on System Performance April 2022. (2022). AV-Comparatives.

  77. Barthe, B., & Murrant, S. (2022). 2022 Prime Time for Real-Time. ACI Worldwide.

  78. Technological Advisory Council (TAC) Mobile Device Theft Prevention (MDTP) Working Group. (2018). FCC.

  79. Klein, A. (2021). How Long Do Disk Drives Last?

  80. Laptop theft. (2020). In Wikipedia.

  81. reddit - DataHoarder wiki - Software. Retrieved November 21, 2019, from

  82. Harnedy, R. (2016). What is the 3-2-1 backup rule?

  83. How often should database backups be tested? - Quora. Retrieved July 27, 2020, from

  84. Schimelpfenig, T. (2006). Evidence Informed Wilderness Medicine.

  85. Schimelpfenig, T., & Safford, J. (2021). NOLS wilderness medicine (Seventh edition). Stackpole Books.

  86. Basques, K. Why HTTPS Matters. In Google. Google.

  87. Securing the Web. (2015). In Extensible Markup Language (XML) 1.0 (Fifth Edition). W3C.

  88. Mill, E. (2014). Why we use HTTPS for every .gov we make. In 18F: Digital Service Delivery.

  89. Farrell, S., & Tschofenig, H. (2014). Pervasive monitoring is an attack.

  90. Muehlstein, J., Zion, Y., Bahumi, M., Kirshenboim, I., Dubin, R., Dvir, A., & Pele, O. (2016). Analyzing HTTPS Traffic for a Robust Identification of Operating System, Browser and Application. ArXiv Preprint ArXiv:1603.04865.

  91. Butler, E. (2010). Firesheep. {CodeButler}.

  92. Newman, C. (1999). Using TLS with IMAP, POP3 and ACAP (RFC No.2595; Number 2595). RFC Editor.

  93. Moore, K. (2018). Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access (RFC No.8314; Number 8314). RFC Editor.

  94. Goodin, D. (2015). Don’t count on STARTTLS to automatically encrypt your sensitive e-mails. Ars Technica.

  95. Who’s That Knocking At My Door. (2017). Privacy International.

  96. SSL vs TLS vs STARTTLS. FastMail. Retrieved August 19, 2018, from

  97. Email encryption in transit. Google. Retrieved August 19, 2018, from

  98. Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y. Y., & others. (2017). NIST Special Publication 800-63B. Digital Identity Guidelines: Authentication and Lifecycle Management. Bericht, NIST.

  99. Weir, M., Aggarwal, S., Collins, M., & Stern, H. (2010). Testing metrics for password creation policies by attacking large sets of revealed passwords. Proceedings of the 17th ACM Conference on Computer and Communications Security, 162–175.

  100. Emily Stark, & Carlos Joan Rafael Ibarra Lopez. (2019). No More Mixed Messages About HTTPS. In Chromium Blog.