You cannot have 100% security or zero risk. So protecting your digital assets and privacy are never perfect either. Business goes on and you have to accept some level of risk on the internet (and in real life). You need a level of security that fits your needs, security controls that will vary according to your acceptance of risk.
- Start with a list of assets you want to protect, e.g. a laptop.
- Determine what are the threats to those assets, e.g. theft or compromise.
- Determine the consequences of a successful attack/loss/compromise of assets (including privacy or anonymity), e.g. damage to reputation or identity.
- Select and apply security controls, starting with greatest risk, e.g. a hardware lock for the laptop, encryption of data at rest on the laptop, or using a VPN connection to protect your online activity on the laptop.
- Do the controls work? And how well? e.g. verify encryption is working, update VPN settings, apply patches. If there are weaknesses in the controls, go back to (1).