Digital Risk Assessment Basics

Daniel Clunaigh

Risk Assessment?

Humans are natural security analysts. We carry out risk assessment all the time

Nobody is entirely without security measures. Everyone has some instinctive knowledge of this.

Risk assessment helps us to be more organised about it, identify gaps and take more adequate measures.

It's a process, rather than an activity, to weave into your strategic planning.

It's hard to be objective: our perception can be challenged by stress, fear, tiredness, trauma, and lack of information.

Digital Risk Assessment?

What? Integral part of overall risk assessment. Identifying potential threats to our sensitive digital data in a given context.

Why? To identify the most appropriate means of protecting our data in a given context.

How? Regularly updated research, monitoring and analysis, documentation according to your own preference. Key tool: Information Map

When? Ideally, constantly. At least calmly before new activities. Challenges: No evolutionary instinct for digital threats.

Perception is challenged!

Definition of Terms

Threat: a potentially harmful occurrence

Risk: A calculation of the probablility and potential impact of a given threat

Capacities and vulnerabilities: our characteristics resources etc which increase or reduce risk

Key tool: Information Map

A first step in taking more control of your information is to understand what it is, where it is, how it moves, and who can access it.

Establish & maintain a register of potential threats to your information

Establish best ways to protect your information Update regularly

Steps of Risk Assessment Situational analysis: Political, Economic, Social, Technological, Legal,

Environmental Identifying your vision and activities Actor mapping: Allies, adversaries, neutral parties Information mapping: What information, where stored, and how used? Security indicators: Precedents & incidents which indicate a change in

the security situation Identifying threats: Potentially harmful occurrences Analysing threats: probability and impact Our existing practices, capacities vs. gaps and vulnerabilities Identifying strategies, tools & tactics

Overview of steps

What information I have, and how sensitive? Technological trends in socio-political context? Actors: Who can access data? Incidents: What are the indicators/precedents? So, what are the threats? (Their probability and

impact) Take measures for protecting data: reduce

vulnerabilities, build capacities = reduce risk

Information Map 1: Information At Rest

Information which is stored on hard drives, USB keys, DVDs, servers, mobile phones What information? How sensitive is it? Where is it stored? Who can access it and how? (incl. Potential

adversaries) Policy: How to protect it? (e.g. Hygiene, password,

backup, periodic deletion, encryption...)

Information Map 2: Information in Motion

Information which 'travels' through digital channels like the Internet or Mobile Network (web browsing, emails, chats, phone calls, text messages, metadata...) What information? How sensitive is it? How does it travel (physical and geographical)? Who can access it and how? Policy: How to protect it? (VPNs, TOR, end-to-end

encryption...)

Essential Knowledge & Resources

How digital data is stored How data is transferred online How mobile phones store & communicate data Metadata essentials Who are your service providers? What is their relationship to your allies, sources, potential

adversaries? Sources of info on data industry & surveillance: Citizen

Lab, Privacy International, Tactical Tech, others.

Sharing Indicators and Incidents

Communities and support organisations can be a great source of information

Security indicators: anything out of the ordinary that may have an effect on my security

Sharing helps to identify patterns Analysing together helps to tune perception & make

decisions Get to know your devices: establish a base-line and

check regularly for anything unusual.

You, your communities, your sources

Threats are often shared between human rights defenders and the communities they work with

Similarly threats are often shared between journalists and their sources

You may create and exchange sensitive data together

You may be linked by meta-data (communication) They may have threats that you don't: be prepared to

go beyond your context, into theirs.

Useful ResourcesRisk Analysis (generally) Front Line Defenders, Workbook on Security for Human Rights Defenders

https://www.frontlinedefenders.org/files/workbook_eng.pdf Protection International, New Protection Manual for Human Rights Defenders

http://protectioninternational.org/publication/new-protection-manual-for-human-rights-defenders-3rd-edition/

Digital Security Risk Assessment (overview) Security in a Box Community Focus https://securityinabox.org/en/lgbti-africa/security-risk

Sources of Information Security in a Box: https://securityinabox.org Trackography: https://trackography.org Me and My Shadow: https://myshadow.org Citizen Lab: https://citizenlab.org Privacy International: https://privacyinternational.org

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13