For my dissertation, I'm arguing that we should be able to formally model and analyze human mental models to find unanticipated problems in computer security. But what does that mean and why does it matter?

If organizations would just stop using Windows XP and patch their software, WCry wouldn't have been an issue. Unfortunately, that's often easier said than done for safety-critical systems built with now-retired software.

Depending on user needs, an actual "password book" might not be a bad idea. It's certainly better than rampant password reuse.

Everyone should have a threat model, but a bit of thought should go into calibration. Make sure your model is appropriate and that your opsec follows from it.