References

There are always too many people to thank, and I will certainly miss some.

Thank you Mom, Yennie Jun, Sophie Rooks, Michael Whitesides, and everyone else who listened to me ramble about security.

Special thanks to Cormac Herley and Deepak Kumar for answering my many questions. All wisdom is theirs, all inaccuracies are mine alone.

Complete references & bibliography

  1. Yudkowsky, E. S. (2005). A Technical Explanation of Technical Explanation. Rational. http://yudkowsky.net/rational/technical/

  2. Herley, C. (2009). So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. 12. https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/SoLongAndNoThanks.pdf

  3. Pollard, B. (2018). What does the Green Padlock Really Mean? TuneTheWeb. https://www.tunetheweb.com/blog/what-does-the-green-padlock-really-mean/

  4. Hammond, S. (2021). Bruce Schneier: We Are Asking the Wrong Cybersecurity Questions | CDOTrends. https://www.cdotrends.com/story/15813/bruce-schneier-we-are-asking-wrong-cybersecurity-questions

  5. Mazurek, M. L., Arsenault, J. P., Bresee, J., Gupta, N., Ion, I., Johns, C., Lee, D., Liang, Y., Olsen, J., Salmon, B., & others. (2010). Access control for home data sharing: Attitudes, needs and practices. Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 645–654.

  6. Mark Dowd, John McDonald, & Justin Schuh. (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (1st edition, Vol. 1). Addison-Wesley Professional. https://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/The%20Art%20of%20Software%20Security%20Assessment%20-%20Identifying%20and%20Preventing%20Software%20Vulnerabilities.pdf

  7. Information security. (2022). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Information_security&oldid=1123005715#Key_concepts

  8. Wash, R. (2010). Folk models of home computer security. Proceedings of the Sixth Symposium on Usable Privacy and Security - SOUPS ’10, 1. https://doi.org/10.1145/1837110.1837125

  9. Oliver Lewis, & Susannah Fox. (2001). Fear of Online Crime. Pew Research Center. https://www.pewresearch.org/internet/2001/04/02/main-report-23/

  10. Verizon Enterprise. (2018). 2018 Data Breach Investigations Report (No.11; Number 11). https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf

  11. Symantec. (2019). Internet Security Threat Report (No.24; Number 24). https://docs.broadcom.com/doc/istr-24-2019-en

  12. Olmstead, K., & Smith, A. (2017). Americans and Cybersecurity. Pew Research Center, 26(311), 43. https://www.pewresearch.org/internet/2017/01/26/1-americans-experiences-with-data-security/

  13. Equifax Data Breach Settlement. (2019). In Federal Trade Commission. https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement

  14. Rob Thomas, & Jerry Martin. (2006). The Underground Economy: Priceless. ;Login: 31(6). https://www.usenix.org/publications/login/december-2006-volume-31-number-6/underground-economy-priceless

  15. Florencio, D., & Herley, C. (2012). Is Everything We Know About Password-Stealing Wrong? IEEE Security & Privacy Magazine. https://doi.org/10.1109/msp.2012.57

  16. Troy Hunt. Have I Been Pwned: Check if your email has been compromised in a data breach. Retrieved May 25, 2020, from https://haveibeenpwned.com/

  17. Synovate. (2007). Federal Trade Commission – 2006 Identity Theft Survey Report.

  18. Harrell, E. (2019). Victims of Identity Theft, 2016 (p. 29). Bureau of Justice Statistics. https://www.bjs.gov/index.cfm?ty=pbdetail&iid=6467

  19. Harrell, E. (2021). Victims of Identity Theft, 2018 (NCJ 256085; Number NCJ 256085). Bureau of Justice Statistics. https://bjs.ojp.gov/content/pub/pdf/vit18_sum.pdf

  20. Bank Crime Statistics (BCS) 2011 Federally Insured Financial Institutions January 1, 2011 – December 31, 2011. (2012). [Page]. Federal Bureau of Investigation. https://www.fbi.gov/stats-services/publications/bank-crime-statistics-2011/bank-crime-statistics-2011

  21. Freed, D., Palmer, J., Minchala, D., Levy, K., Ristenpart, T., & Dell, N. (2018). “A Stalker’s Paradise”: How Intimate Partner Abusers Exploit Technology. Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18, 1–13. https://doi.org/10.1145/3173574.3174241

  22. Logan, T. K. (2010). Research on partner stalking: Putting the pieces together. Lexington, KY: University of Kentucky, Department of Behavioral Science & Center on Drug and Alcohol Research.

  23. Arief, B., & Adzmi, M. A. B. (2015). Understanding cybercrime from its stakeholders’ perspectives: Part 2 – defenders and victims. IEEE Security & Privacy, 13(2), 84–88. https://doi.org/10.1109/MSP.2015.44

  24. Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M. J. G., Levi, M., Moore, T., & Savage, S. (2013). Measuring the Cost of Cybercrime. In R. Böhme (Ed.), The Economics of Information Security and Privacy (pp. 265–300). Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-642-39498-0_12

  25. Actions. Retrieved July 4, 2019, from http://veriscommunity.net/actions.html

  26. Norman, D. A. (2002). The design of everyday things (1st Basic paperback). Basic Books.

  27. Herley, C., & van Oorschot, P. C. (2018). Science of Security: Combining Theory and Measurement to Reflect the Observable. IEEE Security & Privacy, 16(1), 12–22. https://doi.org/10.1109/MSP.2018.1331028

  28. Herley, C. (2016). Unfalsifiability of security claims. Proceedings of the National Academy of Sciences, 113(23), 6415–6420. https://doi.org/10.1073/pnas.1517797113

  29. Goyal, N. (2019). Your password doesn’t matter—but MFA does! https://www.microsoft.com/en-us/security/blog/2019/10/03/password-doesnt-matter-mfa-does/

  30. Weinert, A. (2019). Your Pa$$word doesn’t matter. https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984

  31. Weinert, A. (2019). All your creds are belong to us! https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124

  32. Neil C. Hughes. (2021). Why you should stop using SMS for two-factor authentication. https://cybernews.com/security/why-you-should-stop-using-sms-for-two-factor-authentication/

  33. A NortonLifeLock employee. The risks of public Wi-Fi. Retrieved June 14, 2020, from https://us.norton.com/internetsecurity-privacy-risks-of-public-wi-fi.html

  34. Greenberg, A. (2012). Yes, People Actually Post Pictures Of Their Credit Cards Online. This Twitter Account Was Created To Shame Them. In Forbes. https://www.forbes.com/sites/andygreenberg/2012/07/03/yes-people-actually-post-pictures-of-their-credit-cards-online-this-twitter-account-was-created-to-shame-them/

  35. Mickens, J. (2014). This World of Ours. ;Login: January 2014, 8–11. https://www.usenix.org/system/files/1401_08-12_mickens.pdf

  36. Landwehr, C. E. (2012). Cybersecurity: From engineering to science. The Next Wave, 19(2), 2–5. http://www.landwehr.org/2012-05-cybersec-fm-engg-to.pdf

  37. Herley, C., & Oorschot, P. C. van. (2017). SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit. 2017 IEEE Symposium on Security and Privacy (SP), 99–120. https://doi.org/10.1109/SP.2017.38

  38. Herley, C. (2014). More Is Not the Answer. IEEE Security & Privacy, 12(1), 14–19. https://doi.org/10.1109/MSP.2013.134

  39. Florêncio, D., & Herley, C. (2010). Where do security policies come from? Proceedings of the Sixth Symposium on Usable Privacy and Security - SOUPS ’10. https://doi.org/10.1145/1837110.1837124

  40. Friedman, J., Sarkeesian, A., & Bracey Sherman, R. (2015). Speak Up & Stay Safe(r): – A Guide to Protecting Yourself From Online Harassment. https://onlinesafety.feministfrequency.com/en

  41. Doxing. (2022). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Doxing&oldid=1120770293

  42. Swatting. (2022). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Swatting&oldid=1124357374

  43. Dox. In Merriam-Webster (Merriam-Webster.com Dictionary). Retrieved December 5, 2022, from https://www.merriam-webster.com/dictionary/doxing

  44. Johansen, A. G. (2020). What Is A Computer Virus? https://us.norton.com/blog/malware/what-is-a-computer-virus

  45. Rubenking, N. J. (2022). 7 Signs You Have Malware and How to Get Rid of It. https://www.pcmag.com/how-to/7-signs-you-have-malware-and-how-to-get-rid-of-it

  46. Whitmore, C. (2022). What are the signs I have malware? https://nordvpn.com/blog/signs-of-malware/

  47. Granneman, S. (2004). Infected in 20 minutes. https://www.theregister.co.uk/2004/08/19/infected_in20_minutes/

  48. Ullrich, J. B., Fendley, S., Hale, D., Sachs, M., & Smith, D. (2003). Windows XP: Surviving the First Day. SANS Institute Internet Storm Center.

  49. OgdruJahad. (2018). I remember hearing about windows XP getting infected within minutes of being connected to the Internet, how true is this? What conditions are required. I’m assuming the computer has service pack 3. https://www.reddit.com/r/AskNetsec/comments/8apgwt/i_remember_hearing_about_windows_xp_getting/

  50. Ullrich, J. B. (2003). Windows XP: Surviving the first day [E-mail]. https://seclists.org/basics/2003/Nov/555

  51. Fendley, S. (2005). Reader’s Diary and Update of Windows XP: Surviving the First Day. https://isc.sans.edu/diary.html?storyid=0

  52. Anderson, B. (2018). Why Windows Defender Antivirus is the most deployed in the enterprise. https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise/

  53. Batchelder, D., Blackbird, J., Henry, P., Iyer, S., Jones, J., Kulkarni, A., Lauricella, M., Ng, N., O’Sullivan, N., Pecelj, D., Penta, A., Pope, S., Rains, T., Stewart, J., Stewart, H., Thompson, T., Zink, T., & McDonald, G. (2014). Microsoft Security Intelligence Report - Volume 17 (No.17; Number 17). Microsoft. https://go.microsoft.com/fwlink/p?linkid=2036137&clcid=0x409&culture=en-us&country=us

  54. Avena, E., Capriotti, R., Dong, Z., Douglas, E., Duncan, M., Duncan, M., Fender, S., Ferrer, M., Ferrer, Z., Florio, E., Fouda, A., Ganacharya, T., Gowrishankar, R., Gradascevic, H., Grebennikov, V., Rao, V. G., Hallum, C., Henry, P., Higgs, S., … Yim, J. (2017). Microsoft Security Intelligence Report Volume 22 (No.22; Number 22). Microsoft. https://go.microsoft.com/fwlink/p/?linkid=2036244&clcid=0x409&culture=en-us&country=us

  55. Symantec. (2019). Internet Security Threat Report (No.24; Number 24). https://docs.broadcom.com/doc/istr-24-2019-en

  56. Agrawal, A., Fantham, D., Ghosh, D., Kelley, D., Florio, E., Avena, E., Douglas, E., Tan Seng, E., Trull, J., Borenstein, J., Selvaraj, K., Kaplinska, K., Laidler, K., Duncan, M., Simos, M., Henry, P., Pandey, P., Pliskin, R., McGee, R., … Zohar, Y. (2019). Microsoft Security Intelligence Report Volume 24 (No.24; Number 24). Microsoft. https://clouddamcdnprodep.azureedge.net/gdc/gdc09FrGq/original

  57. Vergelis, M., Shcherbakova, T., & Sidorina, T. (2019). Spam and phishing in Q1 2019. https://securelist.com/spam-and-phishing-in-q1-2019/90795/

  58. Lévesque, F. L., Fernandez, J., Young, G., & Batchelder, D. (2016, October 5). Are They Real? Real-Life Comparative Tests of Anti-Virus Products.

  59. Maimon, D. (2019). Existing Evidence for the Effectiveness of Antivirus in Preventing Cyber Crime Incidents. EBCS Tools, 6.

  60. Levesque, F. L., Somayaji, A., Batchelder, D., & Fernandez, J. M. (2015). Measuring the health of antivirus ecosystems. 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), 101–109. https://doi.org/10.1109/MALWARE.2015.7413690

  61. Lalonde Levesque, F., Nsiempba, J., Fernandez, J. M., Chiasson, S., & Somayaji, A. (2013). A clinical study of risk factors related to malware infections. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security - CCS ’13, 97–108. https://doi.org/10.1145/2508859.2516747

  62. Test antivirus software for Windows 10 - December 2022. Retrieved March 5, 2023, from https://www.av-test.org/en/antivirus/home-windows/

  63. Kaspersky Security Bulletin 2021 Statistics. (2021). Kaspersky. https://go.kaspersky.com/rs/802-IJN-240/images/KSB_statistics_2021_eng.pdf

  64. Kaspersky Security Bulletin 2022 Statistics. (2022). Kaspersky. https://go.kaspersky.com/rs/802-IJN-240/images/KSB_statistics_2022_en_final.pdf

  65. Kaspersky Security Bulletin: Overall Statistics for 2017. (2017). https://media.kaspersky.com/jp/pdf/pr/Kaspersky_KSB2017_Statistics-PR-1045.pdf

  66. Garnaeva, M., Chebyshev, V., Makrushin, D., Unuchek, R., & Ivanov, A. (2014). Kaspersky Security Bulletin 2014 Overall statistics for 2014. Kaspersky. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08065743/Kaspersky-Security-Bulletin-2014.-Overall-statistics-for-2014.pdf

  67. Anthe, C., Ben Zvi, N., Chrzan, P., Egilmez, B., Florio, E., Foster, C., Grimes, R., Henry, P., Jester, B., Jones, J., Kaufman, D., Kladakis, N., Kondratyuk, D., Lelli, A., McDonald, G., McLaughlin, M., Ng, N., O’Sullivan, N., Pecelj, D., … Zink, T. (2015). Microsoft Security Intelligence Report Volume 20 (No.20; Number 20). Microsoft. https://www.microsoft.com/en-us/download/details.aspx?id=52255

  68. Shishkova, T. (2021). IT threat evolution in Q3 2021. Mobile statistics. https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/

  69. Barrett, D. (2016). FBI Paid More Than $1 Million to Hack San Bernardino iPhone. Wall Street Journal. http://www.wsj.com/articles/comey-fbi-paid-more-than-1-million-to-hack-san-bernardino-iphone-1461266641

  70. IT threat evolution in Q3 2021. PC statistics. (2021). https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/

  71. Malware Statistics & Trends Report. Retrieved March 6, 2023, from https://www.av-test.org/en/statistics/malware/

  72. Malware & PUA. (2023). https://portal.av-atlas.org/malware

  73. Kaspersky bans and allegations of Russian government ties. (2023). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Kaspersky_bans_and_allegations_of_Russian_government_ties&oldid=1145291928

  74. Osborne, C. (2022). Decade-old bugs discovered in Avast, AVG antivirus software. https://www.zdnet.com/article/decade-old-bugs-discovered-in-avast-avg-antivirus-software/

  75. Tavis, O. (2016). Project Zero: How to Compromise the Enterprise Endpoint. https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

  76. Spadafora, A. (2023). Which Antivirus Software Has the Least System Impact? https://www.tomsguide.com/us/av-software-least-system-impact,review-6276.html

  77. Performance Test: Impact of Consumer Security Software on System Performance April 2022. (2022). AV-Comparatives. https://www.av-comparatives.org/wp-content/uploads/2022/05/avc_per_2022_04.pdf

  78. National Cyber Security Alliance, Norton, & Zogby International. (2010). 2010 NCSA / Norton by Symantec Online Safety Study.

  79. Stobert, E., & Biddle, R. (2014). The Password Life Cycle: User Behaviour in Managing Passwords. 243–255. https://www.usenix.org/conference/soups2014/proceedings/presentation/stobert

  80. Florencio, D., Herley, C., & van Oorschot, P. C. (2014). An Administrator’s Guide to Internet Password Research. 28th Large Installation System Administration Conference (LISA14), 18. https://www.usenix.org/system/files/conference/lisa14/lisa14-paper-florencio.pdf

  81. Shay, R., Komanduri, S., Durity, A. L., Huh, P. (S., Mazurek, M. L., Segreti, S. M., Ur, B., Bauer, L., Christin, N., & Cranor, L. F. (2014). Can long passwords be secure and usable? Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2927–2936. https://doi.org/10.1145/2556288.2557377

  82. kelalaka. (2021). Answer to "Why do some people believe that humans are "bad at" generating random numbers/characters like this?". https://crypto.stackexchange.com/a/87982

  83. Editorial Team. (2015). Statistics Will Crack Your Password. https://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure/

  84. Goodin, D. (2013). Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331.” https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

  85. Schneier, B. (2014). Choosing Secure Passwords - Schneier on Security. https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

  86. Monroe, R. (2011). Password Strength. https://xkcd.com/936/

  87. Muth, D. Diceware: Generate Secure Passwords You Can Actually Remember! Retrieved January 7, 2024, from https://diceware.dmuth.org/

  88. EFF Dice-Generated Passphrases. (2016). https://www.eff.org/dice

  89. Schneier, B. (2005). Write Down Your Password - Schneier on Security. https://www.schneier.com/blog/archives/2005/06/write_down_your.html

  90. Barthe, B., & Murrant, S. (2022). 2022 Prime Time for Real-Time. ACI Worldwide.

  91. Technological Advisory Council (TAC) Mobile Device Theft Prevention (MDTP) Working Group. (2018). FCC. https://transition.fcc.gov/bureaus/oet/tac/tacdocs/reports/2018/11.30.18-MDTP-WG-Report-and-Recommendations.pdf

  92. Klein, A. (2021). How Long Do Disk Drives Last? https://www.backblaze.com/blog/how-long-do-disk-drives-last/

  93. Laptop theft. (2020). In Wikipedia. https://en.wikipedia.org/w/index.php?title=Laptop_theft&oldid=948926714

  94. reddit - DataHoarder wiki - Software. Retrieved November 21, 2019, from https://www.reddit.com/r/DataHoarder/wiki/software#wiki_website_archiving_tools

  95. Harnedy, R. (2016). What is the 3-2-1 backup rule? https://www.carbonite.com/blog/article/2016/01/what-is-3-2-1-backup

  96. How often should database backups be tested? - Quora. Retrieved July 27, 2020, from https://www.quora.com/How-often-should-database-backups-be-tested

  97. Schimelpfenig, T. (2006). Evidence Informed Wilderness Medicine. https://www.nols.edu/media/filer_public/8c/59/8c591636-b3a1-4654-806b-d09d3d613e33/evidence_informed_wilderness_medicine_january_2015.pdf

  98. Schimelpfenig, T., & Safford, J. (2021). NOLS wilderness medicine (Seventh edition). Stackpole Books.

  99. Basques, K. Why HTTPS Matters. In Google. Google. https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

  100. Securing the Web. (2015). In Extensible Markup Language (XML) 1.0 (Fifth Edition). W3C. https://www.w3.org/2001/tag/doc/web-https

  101. Mill, E. (2014). Why we use HTTPS for every .gov we make. In 18F: Digital Service Delivery. https://https.cio.gov/everything/

  102. Farrell, S., & Tschofenig, H. (2014). Pervasive monitoring is an attack.

  103. Muehlstein, J., Zion, Y., Bahumi, M., Kirshenboim, I., Dubin, R., Dvir, A., & Pele, O. (2016). Analyzing HTTPS Traffic for a Robust Identification of Operating System, Browser and Application. ArXiv Preprint ArXiv:1603.04865.

  104. Butler, E. (2010). Firesheep. {CodeButler}. https://codebutler.com/2010/10/24/firesheep/

  105. Newman, C. (1999). Using TLS with IMAP, POP3 and ACAP (RFC No.2595; Number 2595). RFC Editor. https://tools.ietf.org/rfc/rfc2595.txt

  106. Moore, K. (2018). Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access (RFC No.8314; Number 8314). RFC Editor. https://tools.ietf.org/rfc/rfc8314.txt

  107. Goodin, D. (2015). Don’t count on STARTTLS to automatically encrypt your sensitive e-mails. Ars Technica. https://arstechnica.com/information-technology/2015/10/dont-count-on-starttls-to-automatically-encrypt-your-sensitive-e-mails/

  108. Who’s That Knocking At My Door. (2017). Privacy International. https://privacyinternational.org/sites/default/files/2017-10/thailand_2017_0.pdf

  109. SSL vs TLS vs STARTTLS. FastMail. Retrieved August 19, 2018, from https://www.fastmail.com/help/technical/ssltlsstarttls.html

  110. Email encryption in transit. Google. Retrieved August 19, 2018, from https://transparencyreport.google.com/safer-email/overview

  111. Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y. Y., & others. (2017). NIST Special Publication 800-63B. Digital Identity Guidelines: Authentication and Lifecycle Management. Bericht, NIST.

  112. Weir, M., Aggarwal, S., Collins, M., & Stern, H. (2010). Testing metrics for password creation policies by attacking large sets of revealed passwords. Proceedings of the 17th ACM Conference on Computer and Communications Security, 162–175.

  113. Emily Stark, & Carlos Joan Rafael Ibarra Lopez. (2019). No More Mixed Messages About HTTPS. In Chromium Blog. https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html