Start at the meta level—WHY do you care about these aspects of security, and how much are you willing to spend on it (in terms of money, effort, and interference with your actual mission)? This will probably change over time—you likely don’t have anything worth stealing or sabotaging early in a project, and only have a small number of people with reasonable trust levels. As you grow, your value as a target increases, as do the number of people you don’t personally know. Figure out what the triggers or Schelling lines are where you will make security a serious focus, rather than a nice-to-have.
Then ignore Eliezer’s levels—he’s absolutely right that it’s important, but his maturity-model approach is insufficient. Security is adversarial, which means it’s a pathological distribution of problems, not a smooth surface to approach generally. Instead, focus on Threat Modeling (https://owasp.org/www-community/Threat_Modeling is one resource), and the matching of hassle/expense of protection for yourself vs the risk/cost of loss and ease/likelihood of attack for the resources you’re protecting.
For most secrets, technological protection (encryption, access control/logging, penetration tests, etc.) is sufficient for casual or competitive attacks. Government “attacks” like subpoenas are really only preventable by simply not having what they want (delete your logs if this is your worry) or being very careful not to be in the jurisdictions with those risks. Targetted covert state-level or very organized criminal attacks are probably impossible to prevent. If an org can kidnap 51% of the leadership and torture them for their passwords, they’re in, no matter what. So probably easier to not try to secure against that, or to have anything likely to be attacked that way.
Start at the meta level—WHY do you care about these aspects of security, and how much are you willing to spend on it (in terms of money, effort, and interference with your actual mission)? This will probably change over time—you likely don’t have anything worth stealing or sabotaging early in a project, and only have a small number of people with reasonable trust levels. As you grow, your value as a target increases, as do the number of people you don’t personally know. Figure out what the triggers or Schelling lines are where you will make security a serious focus, rather than a nice-to-have.
Then ignore Eliezer’s levels—he’s absolutely right that it’s important, but his maturity-model approach is insufficient. Security is adversarial, which means it’s a pathological distribution of problems, not a smooth surface to approach generally. Instead, focus on Threat Modeling (https://owasp.org/www-community/Threat_Modeling is one resource), and the matching of hassle/expense of protection for yourself vs the risk/cost of loss and ease/likelihood of attack for the resources you’re protecting.
For most secrets, technological protection (encryption, access control/logging, penetration tests, etc.) is sufficient for casual or competitive attacks. Government “attacks” like subpoenas are really only preventable by simply not having what they want (delete your logs if this is your worry) or being very careful not to be in the jurisdictions with those risks. Targetted covert state-level or very organized criminal attacks are probably impossible to prevent. If an org can kidnap 51% of the leadership and torture them for their passwords, they’re in, no matter what. So probably easier to not try to secure against that, or to have anything likely to be attacked that way.