Digital Risk Assessment

Basics

Daniel Clunaigh

Risk Assessment?

Humans are natural security analysts. We carry out risk

assessment all the time
Nobody is entirely without security measures. Everyone has
some instinctive knowledge of this.
Risk assessment helps us to be more organised about it,
identify gaps and take more adequate measures.
It's a process, rather than an activity, to weave into your
strategic planning.
It's hard to be objective: our perception can be challenged
by stress, fear, tiredness, trauma, and lack of information.

Digital Risk Assessment?

What? Integral part of overall risk assessment. Identifying

potential threats to our sensitive digital data in a given context.
Why? To identify the most appropriate means of protecting our
data in a given context.
How? Regularly updated research, monitoring and analysis,
documentation according to your own preference. Key tool:
Information Map
When? Ideally, constantly. At least calmly before new activities.
Challenges: No evolutionary instinct for digital threats.
Perception is challenged!

Definition of Terms

Threat: a potentially harmful occurrence

Risk: A calculation of the probablility and
potential impact of a given threat
Capacities and vulnerabilities: our characteristics
resources etc which increase or reduce risk

Key tool: Information Map

A first step in taking more control of your

information is to understand what it is, where it
is, how it moves, and who can access it.
Establish & maintain a register of potential
threats to your information

Establish best ways to protect your information

Update regularly

Steps of Risk Assessment

Situational analysis: Political, Economic, Social, Technological, Legal,

Environmental

Identifying your vision and activities

Actor mapping: Allies, adversaries, neutral parties

Information mapping: What information, where stored, and how used?

Security indicators: Precedents & incidents which indicate a change in

the security situation

Identifying threats: Potentially harmful occurrences

Analysing threats: probability and impact

Our existing practices, capacities vs. gaps and vulnerabilities

Identifying strategies, tools & tactics

Overview of steps

What information I have, and how sensitive?

Technological trends in socio-political context?

Actors: Who can access data?

Incidents: What are the indicators/precedents?

So, what are the threats? (Their probability and

impact)
Take measures for protecting data: reduce
vulnerabilities, build capacities = reduce risk

Information Map 1: Information At

Rest
Information which is stored on hard drives, USB keys,
DVDs, servers, mobile phones

What information?

How sensitive is it?

Where is it stored?

Who can access it and how? (incl. Potential

adversaries)
Policy: How to protect it? (e.g. Hygiene, password,
backup, periodic deletion, encryption...)

Information Map 2: Information in

Motion
Information which 'travels' through digital channels like
the Internet or Mobile Network (web browsing, emails,
chats, phone calls, text messages, metadata...)

What information?

How sensitive is it?

How does it travel (physical and geographical)?

Who can access it and how?

Policy: How to protect it? (VPNs, TOR, end-to-end

encryption...)

Essential Knowledge & Resources

How digital data is stored

How data is transferred online

How mobile phones store & communicate data

Metadata essentials

Who are your service providers?

What is their relationship to your allies, sources, potential

adversaries?
Sources of info on data industry & surveillance: Citizen
Lab, Privacy International, Tactical Tech, others.

Sharing Indicators and Incidents

Communities and support organisations can be a

great source of information
Security indicators: anything out of the ordinary that
may have an effect on my security
Sharing helps to identify patterns
Analysing together helps to tune perception & make
decisions
Get to know your devices: establish a base-line and
check regularly for anything unusual.

You, your communities, your

sources

Threats are often shared between human rights

defenders and the communities they work with
Similarly threats are often shared between journalists
and their sources
You may create and exchange sensitive data
together
You may be linked by meta-data (communication)
They may have threats that you don't: be prepared to
go beyond your context, into theirs.

Useful Resources
Risk Analysis (generally)

Front Line Defenders, Workbook on Security for Human Rights Defenders

https://www.frontlinedefenders.org/files/workbook_eng.pdf

Protection International, New Protection Manual for Human Rights Defenders

http://protectioninternational.org/publication/new-protection-manual-for-human-rights-defen
ders-3rd-edition/
Digital Security Risk Assessment (overview)

Security in a Box Community Focus https://securityinabox.org/en/lgbti-africa/security-risk

Sources of Information

Security in a Box: https://securityinabox.org

Trackography: https://trackography.org

Me and My Shadow: https://myshadow.org

Citizen Lab: https://citizenlab.org

Privacy International: https://privacyinternational.org