diff --git a/10_threat_model.md b/10_threat_model.md
deleted file mode 100644
index 2fbed00b644a7d8750684e18570380e52255cafd..0000000000000000000000000000000000000000
--- a/10_threat_model.md
+++ /dev/null
@@ -1,92 +0,0 @@
-***
-document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
-title: Appendix A: Simplified Threat Model
-author: Jonah Silas Sheridan, Lisa Jervis
-version: "2.0 DRAFT NOT FOR PUBLIC USE"　
-last modified: 9/6/17
-***
-
-# Appendix A: Assumed Threat Model
-
-## Introduction
-What follows is a simplified threat model that outlines the landscape in which these checklists are expected to be effective. You may note that many of these assumptions map to the individual items in the readiness assessment tool as they are foundational to the recommendations in the checklist.
-
-These checklists do not promise to mitigate the threats listed here in their entirety. If all items in these checklists were to be implemented across an organization, any Adversary as described by this threat model would face a high bar to impacting the confidentiality, integrity or availability of that organizations' information systems. Although not annotated with this information, many single recommendations are directly oriented at defeating one or more of the list Adversary capabilities. If there is a specific capability you that is of high risk for your organization, seek guidance from a technical support professional in determining which checklist items are most appropriate for mitigation of that risk.
-
-We list the threat model in terms of assumed technical operating conditions, assumed user skills and Adversary capabilities, delivered in narrative form rather than with technical detail. We believe this adversary profile fits both common criminal adversaries as well as low skill political or otherwise aggressive opponents of non-profit organizations' work.   
-
-## Assumed operating conditions
-
-* Working environment is free from physical threat and devices are not consistently stolen or destroyed.
-
-* Work is occurring primarily on adequately powered Windows or Mac computers with some use of Android or iOS phones for communications.
-
-* All devices which have been sourced through verifiable channels and are running official versions of operating systems.
-
-* Devices do not cross international borders, though communications and data may.
-
-* Work occurs using a limited set of applications and tools which have been selected, administered and managed by the organization.
-
-* Authentication mechanism for these systems MAY be open to login attempts from any device.
-
-* Staff have regular and consistent access to the Internet to perform their work.
-
-* Networks used to connect to the Internet MAY also be used by other organizations and the public -- including potential Adversary.
-
-* Networks in use do not also host publicly available servers or services.
-
-* All organizational data is regularly backed up and available for restoration in a reasonable time period in most disaster circumstances.
-
-## End user assumed capabilities
-
-* End users can physically protect their hardware and devices inside their homes and offices as well as when in public spaces.
-
-* There is a mechanism for and end user availability to provide/receive training in information systems topics.
-
-* End users can operate the limited set of applications and tools their organization supplies for their use effectively.
-
-* End users can install browser extensions on their devices. End users, technology responsible staff or technical support providers can install other applications on end user devices.
-
-* End users can remember strings of letters, numbers and symbols of length 12 or more for use as pass phrases or shared secrets for accessing systems.
-
-* Pass phrases or shared secrets are used to authenticate a single or small group of individuals to a system.
-
-* End users know how to request and receive technical support for problems with their information systems.
-
-* End users know how to request files from backup repositories.
-
-## Adversary assumed capabilities
-
-* Adversary can connect to publicly available information systems and attempt to authenticate with them.
-
-* Adversary can send arbitrary content, including spoofed headers, malware executables, infected documents and links to email addresses.
-
-* Adversary can send arbitrary content to smartphones via SMS or other open messaging platforms.
-
-* Adversary can use promiscuous mode on their networking devices to collect wireless network traffic from all networks.
-
-* Adversary can use collected WEP encrypted wireless traffic to determine the password for that network and decrypt all content.
-
-* Adversary can collect user credentials from unsecured exchanges on wireless networks with which they can authenticate or whose passive traffic they can otherwise decrypt.
-
-* Adversary can set up wireless access points (WAP) in any public place with arbitrary or spoofed SSIDs.
-
-* Adversary can using routing attacks to route traffic on public shared networks through their devices.
-
-* Adversary can take over poorly configured or secured commodity gateway routing equipment using well known credentials or attacks on out of date firmware sets.
-
-* Adversary can spoof DHCP server announcements on public shared networks to attempt to act as the gateway for that network.
-
-* Adversary with appropriate position (via routing/DHCP attacks, WAP spoofing or router takeovers) can perform man-in-the-middle (MITM) attacks on unauthenticated traffic including returning arbitrary results to DNS queries, downgrading STARTSSL email submission, rewriting unauthenticated exchanges and sniffing credentials or other content.
-
-* Adversary cannot generate or purchase certificates for arbitrary domains from commonly trusted Certificate Authorities to MITM CA mediated authenticated connections.
-
-* Adversary can scan devices to identify their operating system or other software versions.
-
-* Adversary can exploit well known vulnerabilities in operating system or local software with open listening ports.
-
-* Adversary may be able to perform Evil Maid attacks on hardware that they have physical access to.
-
-* Adversary may be able to use brute force mechanisms on hardware that they take possession of.
-
-* Adversary cannot brute force encrypted information other than otherwise noted in this document.
diff --git a/1_checklist_introduction.md b/1_checklist_introduction.md
index 4eb1292569d53366acd00df10591e7b1f08612bf..b8048f9e11a054ae5946e2c8d0eddab66db20bc9 100644
--- a/1_checklist_introduction.md
+++ b/1_checklist_introduction.md
@@ -13,7 +13,7 @@ This set of documents was made to help small non-profit organizations improve th
 
 ## When was this document set created and last updated?
 
-These documents were originally researched and peer reviewed in Fall 2015. Some small edit and a minor 1.1 revision of Spring 2017 updated and improved the [Readiness Assessment Tool](2_readiness_assessment_tool.md) and other checklist language based on field experience. A major version 2.0 release was completed in September 2017. This version includes a review, update and extension of the checklist set. The version adds a [Device Security Checklist](4_device_security_checklist.md) and [GSuite Security Checklist](8_gsuite_security_checklist.md). All new content was peer reviewed. Contact [RoadMap Consulting](https://roadmapconsulting.org) or [Information Ecology](https://iecology.org/contact) with questions about this process or content.
+These documents were originally researched and peer reviewed in Fall 2015. Some small edit and a minor 1.1 revision of Spring 2017 updated and improved the [Readiness Assessment Tool](2_readiness_assessment_tool.md) and other checklist language based on field experience. A major version 2.0 release was completed in September 2017. This version includes a review, update and extension of the checklist set. The version adds a [Device Security Checklist](4_device_security_checklist.md) and [GSuite Security Checklist](8_gsuite_security_checklist.md) as well as an [Assumed Threat Model](A_threat_model.md) for technical readers. All new content was peer reviewed. Contact [RoadMap Consulting](https://roadmapconsulting.org) or [Information Ecology](https://iecology.org/contact) with questions about this process or content.
 
 **If you have feedback or questions about this document set, its contents or how to use it, please contact Information Ecology using [our secure contact form]("https://iecology.org/contact") or PGP encrypted email to info@iecology.org using [this key]("https://iecology.org/0x3C2BACE5E10F3C7A_pub.txt")**
 
@@ -27,7 +27,7 @@ In these checklists we have identified solutions and practices across a range of
 
 ## Why digital security checklists?
 
-While computers have revolutionized how non-profits work, the last several years have begun to reveal to the general public the many risks associated with digital communication and information storage. While all organizations want to protect their information—and that of their partners and allies—few have a strong understanding of the relevant risks and most effective responses. These checklists represent recommendations for a set of baseline digital security practices. They have been created as a harm reduction and capacity building step in response to experiential knowledge of the shared technical operations of small organizations in addition to incident reports, emerging standards, current research and community feedback about the threats faced by non-profits' computer systems. The aim is to help organizations improve digital security levels, and avoid common incidents and their costs and disruption, so that space can be made for deeper analysis and organizational security efforts. In the process organizations get to build their "security practice muscles" by building new, constrained habits and practices. Building this capacity is critical to taking on more advanced or disruptive security measures as the threat landscape changes.
+While computers have revolutionized how non-profits work, the last several years have begun to reveal to the general public the many risks associated with digital communication and information storage. While all organizations want to protect their information — and that of their partners and allies — few have a strong understanding of the relevant risks and most effective responses. These checklists represent recommendations for a set of baseline digital security practices. They have been created as a harm reduction and capacity building step in response to experiential knowledge of the shared technical operations of small organizations in addition to incident reports, emerging standards, current research and community feedback about the threats faced by non-profits' computer systems. The aim is to help organizations improve digital security levels by minimizing the easiest to exploit vulnerabilities in their systems to both avoid untargeted threats and their costs and disruption as well as raise the bar for targeted low-skill adversaries, so that space can be made for deeper analysis and organizational security efforts. In the process organizations get to build their "security practice muscles" by implementing new, constrained habits and practices. Building this foundational capacity is critical to taking on more advanced or disruptive security measures as the threat landscape changes.
 
 The public-health concept of harm reduction is a useful approach to any situation for which a perfect solution is not available. Despite being an incomplete solution, regular hand washing is an important part of limiting the risk of getting certain illnesses. Similarly a set of standard best practices represented by checklists cannot mitigate all risks, yet they can help protect you and your organization from some of the serious threats that come with using computers to manage your information. These checklists are meant as a starting point in understanding and responding to the most basic threats computer users face today. They are a necessary first step to secure our movements. They are not sufficient for those of us working in extremely hostile environments, for instance against highly repressive regimes and in risky areas like conflict journalism; in no case should they be a substitute for a more aggressive security response where significant risks of bodily harm, long term detention and death exist.
 
@@ -42,7 +42,7 @@ It is also important to recognize that security and convenience are generally at
 Due to the variety of threats, vulnerabilities, and adversaries that arise in different contexts of geopolitics and scale, the
 recommendations in these checklists apply only to organizations meeting the following criteria:
 
--   The organization has one or more primary locations in the United   States. Any office network that allows staff computers to connect to each other, internal services and the Internet is trusted and assumed to be free from outside interference and is segmented from the open Internet or hosting organizations' networks by a well configured firewall device running up-to-date software.
+-   The organization has one or more primary locations in the United   States. Any office network that allows staff computers to connect to each other, internal services and the Internet is trusted and assumed to be free from outside interference and is segmented from the open Internet by a well configured firewall device running up-to-date software.
 
 -   The organization can successfully protect physical access to its office spaces and office network equipment.
 
@@ -52,7 +52,7 @@ recommendations in these checklists apply only to organizations meeting the foll
 
 -   Although the organization may communicate with partners abroad, its staff do not cross international borders while carrying the organization's equipment or data nor regularly work in a foreign country.
 
--   The organization is broadly seeking to protect itself from security threats from non-persistent general adversaries with limited resources (e.g., disgruntled individuals, identity thieves, political opponents, internal threats) rather than the U.S. government, other governments or other large global entities including multinational corporations.
+-   The organization is broadly seeking to protect itself from security threats from non-persistent adversaries with limited resources (e.g., disgruntled individuals, identity thieves, political opponents, internal threats) rather than the U.S. government, other governments or other large global entities including multinational corporations.
 
 If these assumptions don't apply to you, these recommendations are inadequate; a more rigorous information security approach, in partnership with a provider of professional security services, is strongly recommended. [Contact RoadMap]("mailto:info@roadmapconsulting.org") or [Information Ecology](https://iecology.org/contact) for help or referrals.
 
diff --git a/2_readiness_assessment_tool.md b/2_readiness_assessment_tool.md
index d2a6681c278fede11ff6a2bbb0b3fd7b1ed61e47..62f78f5be9808c5b3ad7c6aec80e0fb34d902bfe 100644
--- a/2_readiness_assessment_tool.md
+++ b/2_readiness_assessment_tool.md
@@ -55,10 +55,10 @@ Subtotal, Technical Operations: ____
 Score: ____ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Have a process for properly onboarding and offboarding staff and volunteers that includes attention to your information systems.**
 *The expansion or contraction of your team is a critical change in your security context, and so is an important moment to institute strong security measures. Your onboarding process should include detailed steps for the creation of accounts and instructions on how to determine and grant the correct and minimum permissions needed for that person's role. When a staff member or volunteer departs, ensure that any of the organization's data that is on their personal or work devices is copied and/or destroyed as necessary. Also at offboarding, all individual accounts belonging to the outgoing person should be deleted and any organizational passwords that they used or accessed in their work should be changed to something new.*
 
-Score: ____ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Make sure the computers and other devices you use, including personal devices that staff may use to access organizational information, are only running the programs you expect them to by detecting and removing malware, viruses, or other intrusive software.**  
+Score: ____ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Make sure the computers and other devices you use, including personal devices that staff may use to access organizational information, are only running only the software expected, and only the most recent version of those programs. Have a plan to detect and remove malware, viruses, or other intrusive software and run update tools regularly.**  
 *As a digital security first step, ensure you are running antivirus software on all computers. Antivirus software for Macs and Windows computers is available to non-profits at a discounted rate through [Tech Soup](http://techsoup.org). If you haven't been running antivirus software or otherwise aren't sure about the status of your devices, you can have the operating system (OS) on them reinstalled to help guarantee the computers are free of malware and viruses. This is one benefit of adopting "cloud"-based tools for your organization's information, in that your data is readily available on a freshly installed system.*
 
-*When reinstalling, use a copy from the OS provider wherever possible. Computer manufacturers often bundle other software in their installs, which may impact privacy and security but may also contain specific tools for the hardware (especially in laptops).*
+*When reinstalling, use a copy from the OS provider wherever possible. Computer manufacturers often bundle other software in their installs, which may impact privacy and security but may also contain specific tools for the hardware (especially in laptops). Immediately after installation of the operating system and common software tools, run software updates for both the operating system and, where needed, the other software you have installed. Run these update tools regularly.*
 
 *Note that there are other ways in which your devices can be compromised at a level underneath the operating system; this cannot be remedied by an OS reinstall. If your computers have been handled by third parties you don't trust or out of your possession in a hostile environment, or if you suspect intrusion by powerful or well-resourced entities, get a new computer and call a security professional.*
 
diff --git a/README.md b/README.md
index 2e17798c9b513c14a854f995e81ba32d08adc786..ba08492b112176d4804371ffc9194e33033c5701 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,8 @@ The documents in this repository comprise a set of digital security checklists f
 
 This document set includes [a tool](2_readiness_assessment_tool.md) for assessing an organization's existing capacities and areas to develop in order to successfully take on this type of work which is recommended as a first step for all organizations. Additional documents represent framing information and a glossary both of which are also recommended for all users of these checklists wishing to understand how to use them. This content is released under a [Creative Commons Attribution-Share Alike License](https://creativecommons.org/licenses/by-sa/4.0/) and can be remixed, translated or amended freely as long as shared in turn and original documents attributed to Information Ecology.
 
+We have added a narrative [Assumed Threat Model](A_threat_model.md) as an appendix to this document set for technical readers' reference. Recommendations are not annotated with specific threats mitigated at this time, but a technical support professional can help match assumed adversary capabilities with recommendations.
+
 **These documents are not considered appropriate for use in other countries or in contexts beyond what is named in the  [Introduction](1_checklist_introduction.md) without a thorough review and update to reflect conditions in that environment. It is not our fault if you do not heed this important concern, but would be happy to support anyone wishing  updating the content in this way. [Contact us?](https://iecology.org/contact)**
 
 
@@ -35,6 +37,9 @@ A checklist to help you setup and use the security controls in Google's domain b
 9. [Glossary](7_glossary.md)
 A glossary defining the technical terms used in these documents in as non-technical language as possible
 
+10. Appendix A: [Assumed Threat Model](A_threat_model.md)
+A narrative threat model describing the expectations of operating environment, end user capabilities and adversary capabilities for use by technical readers and technical support personnel.
+
 ## Finally...
 These documents could not exist without the support of a large group of readers, whose technical and operational peer review and feedback tuned these document, as well as the financial support of [RoadMap Consulting](https://roadmapconsulting.org) with whom we are actively using these as a tool to support our clients and communities.