Use this page to help assess what your risks are: https://ssd.eff.org/en/module/assessing-your-risks
What do you want to protect? Who do you want to protect it from? How likely is it that you will need to protect it? How bad are the consequences if you fail? How much trouble are you willing to go through in order to try to prevent those?
- For this exercise, our list of things we are trying to protect will be your email account and your phone's photos.
- For each, write down where it?s kept, who has access to it, and what stops others from accessing it.
- Think of three possible threat actors who might want to get a hold of your data or communications. It might be an individual, a government agency, or a corporation.
- Think about what each adversary might want to do with your private data
- Think about what the likelihood of each adversary coming for that data
- Think about what happens to you if the adversary gets that data
- Now try to answer the question, how much trouble are you willing to go through in order to prevent loss.
- Delete everything you just wrote
- Write a few sentences on why threat modeling is important
- Undelete everything you just deleted if you did it electronically.
- Write down who could have gotten to the list you just deleted
- Make the decision of whether or not you need to delete the list you just made for yourself. If so, delete it. If you made it on Google Drive, good luck. This is a brain stretching exercise, so don't worry too much.
- What would it take for a hostile entity to capture what you just wrote down, depending on where you did it. Is it on a piece of paper, a local word document, a google doc? All of those require very different attacks.
One important note is that you might not have anything worth a targeted attack personally, but you have access to other things that might be interesting to other people. For example, your contact lists can be used to identify other, more important targets. Even more dangerous, someone could use your account to send phishes to your contacts. A @navy.mil address is going to have a significantly higher click rate than some random @gmail. You also have access to your network, so someone could use you to pivot to a network you have access to.