Computer Security Mental Model
Mental Model Overview
For computer security it is crucial to have a rough overview mental model on how the computer works on a technical level that approximates how the computer is really technically functioning.
A lot of program code from various sources runs on the computer. Some from necessarily trusted  vendors. Other from less trusted or untrusted sources. This is required to provide useful functionality for general computing. 
- When a computer is fully powered off, previously has had no battery and no power cord connected, when powering on the first thing that happens is the hardware initialization which is invisible to the user.
- The first visible thing the user can see during the boot process is the BIOS. It is an essential skill that the user can visually recognize the BIOS.
- The next thing the user can see is the bootloader such as for example grub on Linux.
- Skipping intermediary steps  the next thing the most users will usually see is the operating system desktop environment.
- The hardware, BIOS is ultimately trusted. 
- The operating system is highly trusted.  
- Less trusted are applications such as web browsers for example, Firefox, Chrome or Tor Browser.
- Least trusted are contents shows by applications such as a website in a web browser.
Therefore it is important to know which program code (application or program) usually has which permission to draw windows in which place.
The following image is legitimate.
Figure: Virtual Box Virtual Machine showing Whonix ™ Xfce with Tor Browser showing the duckduckgo Website
The following image is an example of a scam. It is showing the Windows operating system running the Internet Explorer application viewing the
systembrowsing.com scam popup 
With the proper mental mental the
systembrowsing.com is easily detected. That is, because
systembrowsing.com is just a website inside the browser window. In most cases
It is important to mentally box the different parts.
- operating system:
The image must not be viewed as a unified whole. Just because it is written there it does not mean it is the truth. It is just text shown on a website. The source of the message is the website. The browser is just the messenger. And the operating system, computer display the final message destination. The message is not generated by a virus scanner.
When seeing messages on websites such as saying "Warning, your computer is infected with a virus." it is very most likely a lie. It might be the case for unrelated reasons (previous malware infection) but the website will be unaware of it. The website's only permission is to show text, images or audio in the web browser. A website cannot detect viruses.  Web browsers are web browsers, not virus scanners. A web browser is neither designed, nor supposed to scan for viruses. If that was the case, that would be well documented.
On the contrary, scam websites resorting to such tactics usually do not posses the skill to exploit vulnerabilities in web browsers or operating systems. If an attackers has such skills, they could just compromise the victim's computer. In that case, the attacker does not need to instruct the user to compromise oneself. If the user remains skeptical about such messages, researches and possibly taking independent advice before proceeding, the user will very most likely stay safe from such attacks. Many security compromises happen only because users are following instructions by attackers.
While users must trust their operating system and less so their application, they must be absolutely skeptical about everything any website is saying.
Users who do not understand this concept remain highly vulnerable to all sorts of scams.
When seeing any information, text, audio or image shown by the computer, the user should ask oneself the following questions:
- Which program code is likely generating this message?
- Which program code is likely drawing this (part of this) window?
- Does this application have access to this information?
- How does this application have access to this information? 
This model is not only useful to avoid scams but also to diagnose, fix issues.
Learning about the concepts documented on related wiki pages Social Engineering and (Spear) Phishing, Cryptocurrency Hardware Wallet: Threat Model and login spoofing might also deepen understanding of this topic.
The following image is legitimate. It is a screenshot of the ClamTK Virus Scanner.
Figure: ClamTK Virus Scanner 
These are real windows. The window decoration (minimize to tray, maximize, close buttons) as well as the window itself is drawn by the operating system. Responsible for the window title and content of the window is the application, ClamTK.
Some URLs in Firefox, Chrome and Tor Browser are special such as
about:preferences. Content of these is not generated by websites but by the browser itself.
When rebooting it is in theory not guaranteed that one will see the real BIOS. It is possible that the user is only presented a fake reboot, i.e. the real operating system keeps running normally but shows a graphical simulation of a full reboot sequence. There is no confirmation that this technique has ever been deployed in practice.
- Social Engineering and (Spear) Phishing
- Cryptocurrency Hardware Wallet: Threat Model
- Login Spoofing
- Trusted because one has to. No trusted because one wants to trust.
- In comparison to a for example classic washing machine (without internet, sophisticated, remote controls) where only trusted program code by the washing machine vendor is used to draw information on the display.
- On Linux such as kernel initialization, initramfs or dracut, systemd, single user mode.
- Unless there is hardware, firmware or BIOS level malware it is always possible to replace a compromised operating system with a clean operating system.
- Aside of compromise by malware.
- https://malwaretips.com/blogs/systembrowsing-com-removal/ [archive]
- Ignoring deprecated dangerous technologies such as Internet Explorer with ActiveX.
- For example nowadays browsers can ask for permission to use the Microphone or IP addresses can be used to determine the location of a user.