(sorry, having issues with the markdown)

I can't find the link, but Bruce Schneier, who is basically a cryptographer and security protocols guy, talks about some of these things. A big thing is that we over-weight the risk of the most recent threat we've talked about. For instance if you and I talk about six different risks:

1. Password hacks where an attacker gets the password database on a webforum, then uses that to log into your email account (because you used the same password), then grabs your banking information and gets in because...same password.
2. Viruses delivered via email attachments
3. Malware delivered by downloaded software
4. Attacks against open ports on your computer.
5. Spear Phishing
6. "Drive by" malware from SQL injections on internet websites. </ol>

You'll worry most about #6 because it's the last thing in your mind, while you can do the MOST good worrying about the first one (use at least 3 passwords, one for web forums, one for (each) email address, and one for your banking), then the next two (don't open attachments unless you're sure of the source and use a virus scanner).

Also we worry about the big and the personal--movie script type attacks or targeted attacks, when the reality is MUCH more prosaic. Most of us, as in 99.9% (ok, I made that number up, but I'd bet I'm close) of us, will never be specifically and personally targeted through technical computer attacks (attacks against our ideas, or some sort of internet or personal flaming or defamation doesn't count here, I'm talking technical attacks) as we're just not interesting.

Over a decade ago I was on the CypherPunks mailing list, and you would occasionally see people asking what they could do to keep the TLAs from spying on them (looking for hard crypto etc.). The only real answer is "don't do anything to interest them". Most people are boring, their lives are uninteresting, and there is nothing you can gain from personally going after them.

However, that doesn't mean that you won't be attacked impersonally and/or randomly. You do have a bank account, you do have a computer that can be used to pass spam, to infect other machines, or whatever.

Keep understanding that it's not personal on any level. They aren't out to get YOU, they're just out to get your stuff, and devise your strategies accordingly.

To bullet point it:

• We think about personal attacks rather than impersonal
• We tend to think about the big, flashy, or "Hollywood" attacks and not the more prosaic attack.
• We tend to focus on the last threat we've discussed, read or thought about, and not develop a more generalized threat model.