Most digital security advice treats everyone the same. But what makes sense for a journalist protecting a source is different from what makes sense for someone who wants to stop their employer from reading their personal messages, which is different again from what makes sense for someone who just wants to stop feeling like they're being followed around by ads.

A security plan helps you figure out what actually applies to your life, so you can focus on that rather than trying to do everything.

Working through these questions doesn't have to be formal. Even rough answers are more useful than no answers.

1. What do I want to protect?

These are your assets, the information, devices, and accounts that matter to you.

Some examples, your location, your messages, your medical information, your financial accounts, your identity in a particular context, photos, contact lists, notes, work documents.

It helps to be specific. Think about where information lives, on your phone, in your email, in cloud storage, and who currently has access to it.

2. Who do I want to protect it from?

These are your adversaries, anyone who might want to access or misuse your information.

They might be, advertisers and data brokers, your employer, a former partner, a government agency, a specific person in your life, or unknown third parties who might gain access through a breach.

Different adversaries have different capabilities. Your mobile provider can see call records. A stalker might have access to your social media. An employer might have access to work devices and accounts. A sophisticated attacker might use technical methods most people won't encounter.

3. How bad would it be if something went wrong?

Think about what your adversary could actually do with the information, and what the consequences would be.

Losing access to your email is inconvenient. Having private photos shared publicly could be devastating. Having your location shared with the wrong person could be dangerous. Having your financial information exposed could cause lasting harm.

The severity of the potential harm affects how much protection is worth the effort.

4. How likely is it that I'll actually need this protection?

Capability and likelihood are different things. Just because someone could access your information doesn't mean they will.

Your phone provider can technically access a lot of your data, but the probability they'll share it publicly is low. The probability that an angry ex-partner might try to track your location depends on your specific situation.

Realistic risk assessment helps you avoid either over-protecting against things that won't happen or under-protecting against things that might.

5. How much effort are you willing to put in?

Stronger security and privacy often involves friction, more steps, different apps, trade-offs in convenience.

There's no single right answer. The goal is a set of practices you'll actually maintain, not a perfect setup you'll abandon after a week. A modest improvement you sustain is worth more than a comprehensive approach you give up on.

Be honest with yourself about this.

6. Who else is involved?

Security doesn't happen in isolation. If you switch to a private messaging app, it only helps if the people you're talking to also use it. If you share a device with someone, your security depends partly on theirs.

Think about the people in your life who might share information about you, not necessarily with bad intentions, but because their practices affect your exposure.

• Giving you a clear sense of what to focus on, instead of trying to protect everything equally
• Making decisions proportionate to actual risk rather than imagined worst cases
• Choosing tools and habits that match your situation rather than following generic advice
• Avoiding effort and friction in areas that don't significantly affect your safety

• It doesn't account for threats you haven't thought of, your model is only as good as your understanding of your situation
• It isn't permanent, your circumstances change, and so should the plan
• It doesn't replace technical security measures, it helps you choose the right ones, but you still need to implement them

The biggest tradeoff in security planning is between protection and convenience. Every additional layer of security typically adds some friction. The question isn't "what's the most secure option", it's "what level of security is right for my actual situation and what I'm willing to maintain."

It's also worth being careful about scope. It's easy to start thinking about privacy and end up anxious about things you can't control. The goal of a security plan is to feel more grounded, not more worried. Focus on the specific concerns that are real in your life, address those, and let the rest go.

Start with the most obvious concern in your life right now. Work through the six questions above, even informally.

A few common starting points

If your concern is general tracking and advertising Focus on browser settings, a privacy-respecting search engine, and reducing unnecessary account creation. A VPN might help, but it's not the first step.

If your concern is account security Strong, unique passwords managed by a password manager and two-factor authentication on important accounts are the highest-leverage changes most people can make.

If your concern is private communication Switch to an end-to-end encrypted messaging app for conversations that matter. Signal is a good starting point.

If your situation is higher-stakes, you're a journalist, activist, or someone in a difficult personal situation, the EFF's Surveillance Self-Defense guide covers more specific scenarios in depth.

Security planning as a formal discipline (used in software engineering and risk management) involves detailed adversary profiles, attack trees, and quantified risk assessments. For everyday privacy, the six-question framework above captures most of what's useful without the complexity.

One concept worth understanding, the difference between security and privacy. Security is about keeping information from being accessed by people who shouldn't have it. Privacy is about limiting how much information exists to be accessed in the first place. A strong password secures an account. Choosing not to create the account avoids the exposure entirely. Both strategies are valid and often complementary.

Another useful frame, trust chains. Every service or device you use involves trusting someone. Your messaging app trusts your phone's operating system. Your phone trusts the network it's connected to. Security planning involves understanding where those trust relationships are and whether they're appropriate given your situation.

• Threat modeling, overlaps significantly with this page; goes deeper on the five-question framework
• What is privacy, the broader context
• Encryption, a core technical tool that often comes up in security planning
• Metadata, a category of exposure that security planning frequently overlooks