Dave's Mess > Articles > Security Paranoia Scale

Security Paranoia Scale

Just like the Beaufort wind scale... but for security.

In the 17th century, a wind scale was devised and standardised on so that naval officers writing the wind speeds in their ship's logs could accurately describe the weather. The problem at the time was that what one man would call "calm", another man might call "windy". Until the scale was developed, there was no way of comparing the logs of two different captains.

A similar problem appears in digital security. What one man might call "safe" another might call "already exploited". Many security experts, tongues firmly in cheeks, will say that "a healthy amount of paranoia is necessary to remain secure online". This scale is an attempt to quantify levels of security paranoia and provide an easy method for identifying them.

Security Paranoia Number Name Description
0 Free and easy

Leaves door to house open. Writes PIN on credit card. Doesn't believe in having computer passwords. When forced to choose a password, chooses '12345'. Double clicks all attachments in email. Clicks on "Hundreds of new Smileys!" ads. Installs Bonsai Buddy.

1 Trusting

Locks front door of house. Memorises PIN but keeps original letter in filing cabinet 'just in case'. Usual password is 'password'. When IT enforce a more complex. password, writes it on a sticky note and sticks it to monitor. Never changes default password on any device.

2 Average Joe

Locks every door of house. Memorises PIN and throws away original letter. Every user account has admin privileges. Uses the same password for every login, for every system. Usual password is dog's name.

3 Mildly Suspicious

Locks windows of house too. Memorises PIN and eats original letter. Only one user on computer has admin privileges. Uses two different passwords; one for safe places and one for everywhere else. Usual password is a dictionary word. Knows that pictures of locks on web sites mean that the site is secure.

4 Suspicious

Hasn't logged in as admin since the initial install. Issues admin commands using sudo or run as. Uses open source software because he understands it has a good security record but still uses proprietary software when needed. Has three different levels of passwords; low, medium and high security. Usual password is a dictionary word with a number. Knows what each web browser's lock symbols for SSL look like.

5 Mildly paranoid

Exclusively uses open source software because it can be verified by the community to not contain backdoor code and security flaws. Encrypts and signs sensitive emails. Won't submit a password to any web site unless it is using SSL. Uses sudo but it requires a password every time it is used. Usual password is at least 6 random letters and numbers.

6 Paranoid

Checks MD5 sums of downloaded software to make sure it hasn't been tampered with. Only uses two different password security levels but uses a different password for everything in high security level. Requires a password to unlock screen saver. Encrypts and signs all emails. Actually reads SSL certificate information in web browser before accepting certificate. Usual password is at least 8 random letters and numbers.

7 Quite paranoid

Compiles own open source software and checks MD5 sums of the downloaded source files. Screen saver activates after 5 minutes of inactivity. Encrypts entire home directory. Has a hardware-based random number generator based on radioactive decay attached to computer. Phones web site owners to verify signature on SSL certificate verbally. Usual password is at least 10 random letters, symbols and numbers.

8 Extremely Paranoid

Compiles own open source software but only after doing a complete security audit on every line of code. Invents own encryption algorithm because existing ones aren't good enough. Uses a different password for every authentication. Screen saver activates after 30 seconds of inactivity. Usual password is at least 30 random letters, symbols and numbers.

9 I have no name.

Lives in abandoned security bunker from World War II in remote desert. Must authenticate before using toaster. All passwords require modification from a randomly changing security device that updates every 30 seconds. Every authentication requires three-factor authentication from a dongle plugged into the computer, a password and a biometric scan. Never removes sunglasses or gloves outside bunker to keep biometric information secret. Computer requires re-authentication every 30 seconds, regardless of activity. Encrypts home directory with a one-time pad... that only ever existed inside his brain. Has a self destruct button installed in underground lair.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.


On Tue 30th Oct 2007 at 1pm Prathik M said:

Nice scale. Most people I see are level 0.
On Fri 25th Jan 2008 at 1pm ultra said:

How about level 10: uses openbsd.
On Sun 27th Jan 2008 at 3am Koko said:

I guess I rank around four.
On Sun 27th Jan 2008 at 4pm rprebel said:

I had no idea I was mildly paranoid...thanks!
On Sun 27th Jan 2008 at 9pm Raytracer said:

Hmm, I'd probably have to rate myself a 3 then. May have to increase my paranoia factor.
On Mon 28th Jan 2008 at 2pm Pacaruru said:

most adept computer users i see rank between a 4 and a 5. most non-adept computer users rank between a 2 and a 3. the occassional 0 i ususally take time out to educate to at least a 3. :)
On Wed 30th Jan 2008 at 11pm Anonymous said:

I'm #4, I just downloaded an add on for Firefox that hides the user agent information and all that goes with it. I'm considering the TOR network for my future activities because I hate being traced, not that I do illegal stuff, but I like messing with authority.
On Thu 12th Mar 2009 at 1pm Anonymous said:

Ranked 8.
On Fri 13th Mar 2009 at 1pm Dave said:

Mr Anonymous above is not just saying that either.

He browses with Javascript turned off. I know this because the form submission here tests to see whether you are running Javascript or not (spam bots don't run Javascript) and separates the comments accordingly.

I browse with Javascript turned off by using the NoScript plugin for Firefox and let me tell you, even with that plugin to make things easier, it's still a pain in the proverbial. So many sites require Javascript for even the most basic functionality that you end up switching it nearly all the time anyway. Someone who browses with Javascript turned off is seriously dedicated to their own privacy/security. NoScript is still worthwhile, even if you turn it on most of the time, because you can selectively allow Facebook scripts but disallow Doubleclick scripts which are on Facebook. You can use Javascript on my site while not being tracked by Google analytics and MyBlogLog.

I might add something about Javascript, Java, Flash and cookies into the scale but I'm not sure exactly where they should go.

Of course, you aren't really all that Anonymous if you use your name as your website's domain name and link to it in your comment... but then again, maybe he wasn't really trying be anonymous after all.

A quick look around his website shows that he is actually working on his "own encryption algorithm because existing ones aren't good enough." which is directly from the wording of 8 in the scale. (Well, sort of. It's a PRNG algorithm specifically designed to be cryptographically secure and random numbers are a fundamental part of encryption. Close enough.)

Incidentally, I score somewhere between 5 and 6 on this scale... and I'm the guy who made it up!


Limited HTML
Like BBCode
Common Usage
What's all this ?