I want to protect myself from fraud and identity theft.
While there are on the Internet plenty of arbitrary collections of precautionary tips, I want to make rational, fully informed choices to manage the risk that I suffer from financial crime. (I’m not an unusually valuable target for crime; I just want to make responsible choices.)
Essentially, I want to know how my choices will affect the attack surface around my individual finances and crime-relevant information. Having a good model of this attack surface would allow me to answer, for example, these questions:
- How do I evaluate a bank or credit union for its information security practices?
- How do I choose among email service providers and email information security practices?
- What practices around financial transactions minimize this attack surface?
I’m not looking for answers to these questions in particular, but rather how to model the attack surface they are asking about.
So, my question is:
When a security expert wants to model a complex attack surface across multiple institutions and information systems, how does he or she go about doing it? What steps does he or she go through? Can a technically capable but non-expert follow these steps?