The bigger picture or the risk context can be seen from two perspectives.
First, there is the users perspective, where the focus is on what the user is aware of and what elements does the user understand. These are detailed below.
“He who knows others is wise; he who knows himself is enlightened.” Lao Tzu
Second, there is the adversary perspective, where the focus is on what the adversary sees and how the adversary targets the users assets.
The user is the main actor in the context. A user can be any kind of person that engages in activities online with a certain goal. A user can be yourself, myself, one of your parents or any kind of internet user.
Element importance - Based on human nature and specific characteristics and traits, the user is susceptible to a variety of threats online. As users we must be aware of our weaknesses and how opened are we to dangers based on ourselves humans and ourselves as individuals.
The user sets to accomplish something through an online activity. Examples include :
1. informing oneself about a specific subject
2. more convenient acquisition of goods
Usually, this goal is being driven by something. The user is motivated (or driven) by something to set the goal. Following the examples above , we can have the below drivers :
1. the user wants to change career path, thus wants to know what might be relevant (leading to informing oneself)
2. the desired goods cannot be found in the vicinity and instead of spending more time and money to go a physical shop, the user considers an online alternative (leading to more convenient acquisition of goods)
Element importance - It is important to understand the goal and the driver behind it, as certain dangers online can be avoided by simply changing one of them or by altering the means to which the goal is achieved.
User activity and actions
To reach the goal, the user must go through an activity which includes a number of actions, or steps that have to be taken in order to complete the activity.
These will typically include online browsing or choosing a specific offer from a multitude of offers.
Element importance - breaking down activities into actions can give the user a clear picture of the steps that must be passed and the specific dangers associated with each of them.
In order to successfully go through the actions mentioned above, the user needs certain information or tools. These will be referred to as assets.
Typical assets required for online activities will include but not be limited to :
- personal details (personal identifiable information) such as name, address, postal code, some sort of identification document like a passport copy etc
- financial information such as credit card details, online payment services accounts, related bank etc
- credentials, such as usernames and passwords used to register an account
Element importance - At first sight, certain pieces of information may not be seen as assets by the user, such as address or postal code. The user usually recognizes their value after they have been compromised or after they have been used against them.
Possible negative occurrences are referred to as threats. In other words, a threat is "what can go wrong ?". A threat is a possibility, not a fact and it is directly tied to an activity and/or an asset.
You register an account on a website (activity), where you use your personal details (asset). The website is hacked and your personal details are exposed to parties that should not be able to access them (this is now a fact - the threat has materialized). If you would had been aware of this threat before you had created your account and used your personal details, you might have had seconds thoughts on using your real personal details.
Element importance - As users, we expect things to "just work" but we rarely take into consideration what problems our actions can bring upon us. To understand that there is a possibility of things going wrong, even though they seem to be "just working", is key to a more risk-aware and secure mindset.
Maliciously intended people are usually the adversaries. The adversaries are aware of the threats that a user is facing when doing certain activities and try to turn this into their advantage.
Adversaries and their perspective is described in detail in the following section.
Element importance - threats are tied up to adversaries and these adversaries target different kind of users. By understanding the adversary, we can better protect ourselves and prioritize our actions.