Threat analysis - Information Mapping I

From Gender and Tech Resources

Title of the tutorial Information Mapping Part 1
Kind of learning session Holistic
Tutorial category Discussion
Duration (hours) 90m
"m" can not be assigned to a declared number type with value 90.
Learning objectives To understand the importance of information as an asset which is valuable to ourselves, our allies and our adversaries and as a resource one can establish reasonable control over.

To mapp sensitive information managed in the context of work and its characteristics.

Prerequisites This session preceed session of Information Mapping II.
Methodology [[Methodology::Methodology

Activity 1: Mapping Information At Rest (30 minutes)

Explain to participants that we're going to conduct an information mapping activity to get a sense of where our important information actually is.

Step 1: Start by listing the different places where our information is stored, according to participants. If no suggestions are forthcoming, we can prompt participants with the obvious stuff: Computer hard drives; USB flash drives, external hard drivesCDs & DVDs (and BDs); our email inbox, the Cloud: Dropbox, Google Drive, SkyDrive, etc ; Physical copies (or “hard copies”) in the office; Multimedia: Video tapes, audio recordings, photographs, etc.

Step 2: Add these titles to the sheet or whiteboard and construct a matrix around them. Then elicit from participants what type of information or data they have in each of these places. For example:Email, Contact details, such as a member database, Reports/research, Accounts/spreadsheets, Videos, Images, Private messages on Facebook, etc. To encourage participant interaction, write one example on a sticky and place it in the appropriate box in the matrix. Then, ask whether there is another copy of this data somewhere. If there is, you can use another sticky ([preferably one of a different color) and put it wherever they keep the duplicate. You can use this moment to teach the difference between master copies and duplicates. Repeat this process with another example, hopefully provided by a participant.

Step 3: Give participants stickies and ask them to consider the different data they have on each of the devices identified. The level of detail can be defined themselves – depending on the level of trust in the group. However they should be detailed enough to distinguish between different levels of sensitivity, e.g. “interviews” vs. “interviews with victims”. Ask participants to place their stickies on the information map.

Discussion (5 minutes)

Ask participants for any observations they have about the information map. Questions might include: Is there a large dependence on one device or another? Is much of the information online? If so, on whose property is it being stored?

Input: Threats to Information at rest (15 minutes)

1. This is just a beginning of an information map. It would be almost impossible to map all the data around us, but we can consider the things we consider most important and sensitive. Ask participants if they have ever experienced data loss and if so, how it happened.

2. Remove all the stickies from one of the columns (such as computer hard-drive) and throw them on the floor. Explain that this is essentially what happens – suddenly the copies in other locations are all we are left with. There are many things that can cause data loss – it is not a question of if, but of when it happens. How can we protect ourselves from this shocking moment?

3. Remove one sticky from another column, such as mobile phone or email. Ask participants, what happens if I can access this, just take it and read it? How would you protect this data?

As you go through the above, on a flipchart, write the primary threats to information at rest: Data loss / Malware infection/ Unauthorised access and surveillance. And the basic ways of protecting it: Backup, Anti-virus / Good hygiene practices, Passwords, Secure deletion,Encryption.

Deepening: Written information map (30 minutes)

Give participants a written information map printout and 20 minutes to begin filling it in. Group them according to whatever is most useful: if they are from the same organisation, perhaps according to the organisational structure. If they are mixed, then by organisation or individually. When time is up, ask for reflections from participants.


Information is one of our most important assets, it often has a lot to do with our allies, and is of great interest to our adversaries, who want to gather as much information about us as possible.

Information is not only at risk when it is at rest, but also as it moves through electronic channels, as explored in the next exercise.]]

Number of facilitators involved 1
Technical needs Flipchart, sticky notes, pens, markers, comic timing
Theoretical and on line resources Holistic Security Guide

Security in a Box.