Difference between revisions of "Threat modeling the quick and dirty way"
From Gender and Tech Resources
m (→Step 1. Set up a table) |
m |
||
(37 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | [[File:Dystopia.gif|500px|thumb|right]] | ||
+ | |||
== Basic choreography == | == Basic choreography == | ||
+ | Steward Brand: Build a room | ||
+ | === Set up a table === | ||
+ | The first column contains a short description of the threat, the second the likelihood of it occurring, the third what impact it would have if it did happen, and the fourth an assessment (grade) of the time and energy you would need to protect yourself from the threat (for instance you can have no stars denote that there is no protection from that threat, hence it will cost nothing (except for the cost of the impact if it did happen). | ||
+ | |||
+ | === Fill in the table === | ||
+ | I recommend doing iterative brainstorming on "known and experienced threats" as initial filling of the first column in the table, before thinking about the other columns. | ||
+ | |||
+ | === Reorder the list according to your set of priorities === | ||
+ | Choose your ordering strategy carefully. Several strategies are possible. | ||
+ | * If this is a learning experience or you are a fan of "only time for putting out fires" cultures, no need for ordering. | ||
+ | * In a low risk environment (no immediate death threats) an "on demand" strategy works well. In this strategy you can use "low hanging fruit" and set up protection for items with a big impact and/or high likelihood of occurrence first. | ||
+ | * In a high risk environment or if any of the items in the list of possible impacts reads " loss of life" or some life-altering experience or you have turned procrastination into an art, best choose an "anticipating strategy", meaning do more research and detailed [[scenario planning]] (food for thought) to find possible [[Threats, detection, protection and (counter) moves|threats and solutions]] overlooked (food for gut). | ||
+ | |||
+ | == Examples == | ||
+ | |||
+ | === Silicon Valley first world problems === | ||
− | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
! Threat !! Likelihood !! Impact !! Protection | ! Threat !! Likelihood !! Impact !! Protection | ||
|- | |- | ||
− | | Having to drink || | + | | Having to drink || medium || Developer will drop dead within a week, deadline will not be made. |
− | The human body needs water to survive. | + | The human body needs water to survive. The maximum time an individual can go without water seems to be a week — an estimate that would certainly be shorter in difficult conditions, like broiling heat. |
− | + | ||
− | The maximum time an individual can go without water seems to be a week — an estimate that would certainly be shorter in difficult conditions, like broiling heat. | + | |
|| * Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms | || * Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms | ||
|- | |- | ||
Line 24: | Line 39: | ||
|} | |} | ||
− | + | === Journalist, observer or sousveillant in europe === | |
− | + | A general counter strategy against police misconduct, abuse and brutality has been recording what happens during a protest. This of course, has gotten the police to target (citizen) journalists and observers overtly and covertly. And it is not just the police and government that are interested in us and our data. | |
− | === | + | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | The below threats, if happens, make for loss of trust and reputation and that translates to loss of effectiveness as independent observer. | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
! Threat !! Likelihood !! Impact !! Protection | ! Threat !! Likelihood !! Impact !! Protection | ||
|- | |- | ||
− | | || || || | + | | Metanoia & Paranoia || low || Metanoia (safety delusion) makes us sitting ducks and paranoia renders us ineffective. || * |
+ | |- | ||
+ | | Physical attacks || medium || Physical damage/intimidation | ||
+ | || | ||
+ | |- | ||
+ | | Arrest: That might include direct approaches such as intimidation and asking for information on sources. || medium || Physical danger to those sources.|| | ||
+ | |- | ||
+ | | Some contacts are named in reports, and some wish to remain anonymous. If we’re not careful, we might unintentionally disclose contact details or their location http://thenextweb.com/insider/2012/12/03/vice-leaves-metadata-in-photo-of-john-mcafee-pinpointing-him-to-a-location-in-guatemala/ | ||
+ | * Phishing | ||
+ | * Guess/hack password | ||
+ | * Metadata | ||
+ | * Mobile trail | ||
+ | || high || Intimidation/attack/imprisonment of sources. ||* | ||
+ | |- | ||
+ | | Correspondence with contacts includes all sorts of information that we do not want others to know about. | ||
+ | * Phishing | ||
+ | * Guess/hack password | ||
+ | || medium || Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources. | ||
+ | || ** | ||
+ | |- | ||
+ | | Email, social media accounts, websites, communication tools, a pile of passwords. Our passwords may be a used to attack others in our "organisation", and access information we don’t directly hold. | ||
+ | * Phishing emails can be sent from our email or social media accounts to others. | ||
+ | * Passwords can be guessed. | ||
+ | || high || Followers on social media and people on mailinglists can get spammed. | ||
+ | || **** | ||
+ | |- | ||
+ | | All work-in-progress, files and documents which we couldn’t publish for all sorts of reasons (space, legality, protection of others). | ||
+ | * Where are they? What forms do they have? Is there a security related documentation policy? Hey who is that man walking out the door with those files? | ||
+ | || medium || Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources. | ||
+ | |||
+ | Intimidation/attack/imprisonment of sources. | ||
+ | || * | ||
+ | |- | ||
+ | | If we use computers in any way (including phones and even photocopiers) we can safely assume we are being recorded. Can lead to identification of sources through other data, our location, phone or email records. | ||
+ | * Metadata | ||
+ | * Computer forensics | ||
+ | || high || Intimidation/attack/imprisonment of sources. | ||
+ | || * | ||
+ | |- | ||
+ | | It may not be our activities they are interested in, but our reach. An example of this was the Syrian Electronic Army targeting E! Online http://ohnotheydidnt.livejournal.com/77479774.html || medium || Publication of hoax information on content management systems (the news website) and social media accounts | ||
+ | || *** | ||
+ | |- | ||
+ | | Legal attacks include direct approaches such as subpoenas demanding that we reveal a source, or court orders to pass over footage, and increasingly might also include indirect approaches, to companies and organisations holding your information. | ||
+ | || medium || Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault. | ||
+ | || ** | ||
|} | |} | ||
− | |||
− | |||
− | |||
− | |||
== Related == | == Related == | ||
+ | * [[Timeline that is soooo 1984 ...]] | ||
* [[Timeline masters of the internet]] | * [[Timeline masters of the internet]] | ||
* [[Timeline merchants of death]] | * [[Timeline merchants of death]] | ||
− | * [[ | + | * [[Threats, detection, protection and (counter) moves]] |
− | + | ||
+ | == References == |
Latest revision as of 14:40, 9 October 2015
Contents
Basic choreography
Steward Brand: Build a room
Set up a table
The first column contains a short description of the threat, the second the likelihood of it occurring, the third what impact it would have if it did happen, and the fourth an assessment (grade) of the time and energy you would need to protect yourself from the threat (for instance you can have no stars denote that there is no protection from that threat, hence it will cost nothing (except for the cost of the impact if it did happen).
Fill in the table
I recommend doing iterative brainstorming on "known and experienced threats" as initial filling of the first column in the table, before thinking about the other columns.
Reorder the list according to your set of priorities
Choose your ordering strategy carefully. Several strategies are possible.
- If this is a learning experience or you are a fan of "only time for putting out fires" cultures, no need for ordering.
- In a low risk environment (no immediate death threats) an "on demand" strategy works well. In this strategy you can use "low hanging fruit" and set up protection for items with a big impact and/or high likelihood of occurrence first.
- In a high risk environment or if any of the items in the list of possible impacts reads " loss of life" or some life-altering experience or you have turned procrastination into an art, best choose an "anticipating strategy", meaning do more research and detailed scenario planning (food for thought) to find possible threats and solutions overlooked (food for gut).
Examples
Silicon Valley first world problems
Threat | Likelihood | Impact | Protection |
---|---|---|---|
Having to drink | medium | Developer will drop dead within a week, deadline will not be made.
The human body needs water to survive. The maximum time an individual can go without water seems to be a week — an estimate that would certainly be shorter in difficult conditions, like broiling heat. |
* Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms |
Having to eat food | high | Developer will drop dead within three weeks, deadline will not be made.
A human can go for more than three weeks without food (Mahatma Gandhi survived 21 days of complete starvation) |
* Blend together half a gallon of water, three and a half tablespoons of macadamia nut oil and a 16-ounce bag of powder called Schmoylent. Then pour the beige beverage into jars and chill them before bringing the containers to work the next day http://timesofindia.indiatimes.com/tech/jobs/No-time-to-eat-Silicon-Valley-drinks-its-meals/articleshow/47424226.cms |
Needing sleep | high | Like breathing, sleep is essential to humans. It has even been said that one could survive three times longer without food than one could without sleep. One of the better known experiments on this subject, found that depriving rats entirely of sleep resulted in their death, or near-dying state, within 11-32 days (Everson et al. 1989). | ** No long term alternatives known, but the deadline is still four weeks off. We tried adding coffee and coke to the Schmoylent in the previous development cycle. |
Bathroom breaks | high | How many times do people go to the bathroom per day? Loads, and all those little breaks can add up to an hour or two per developer per day. | ***** Implanting stomata. Costly. Management has suggested we need more surveillance equipment to study the problem of the breaks. |
Journalist, observer or sousveillant in europe
A general counter strategy against police misconduct, abuse and brutality has been recording what happens during a protest. This of course, has gotten the police to target (citizen) journalists and observers overtly and covertly. And it is not just the police and government that are interested in us and our data.
The below threats, if happens, make for loss of trust and reputation and that translates to loss of effectiveness as independent observer.
Threat | Likelihood | Impact | Protection |
---|---|---|---|
Metanoia & Paranoia | low | Metanoia (safety delusion) makes us sitting ducks and paranoia renders us ineffective. | * |
Physical attacks | medium | Physical damage/intimidation | |
Arrest: That might include direct approaches such as intimidation and asking for information on sources. | medium | Physical danger to those sources. | |
Some contacts are named in reports, and some wish to remain anonymous. If we’re not careful, we might unintentionally disclose contact details or their location http://thenextweb.com/insider/2012/12/03/vice-leaves-metadata-in-photo-of-john-mcafee-pinpointing-him-to-a-location-in-guatemala/
|
high | Intimidation/attack/imprisonment of sources. | * |
Correspondence with contacts includes all sorts of information that we do not want others to know about.
|
medium | Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources. | ** |
Email, social media accounts, websites, communication tools, a pile of passwords. Our passwords may be a used to attack others in our "organisation", and access information we don’t directly hold.
|
high | Followers on social media and people on mailinglists can get spammed. | **** |
All work-in-progress, files and documents which we couldn’t publish for all sorts of reasons (space, legality, protection of others).
|
medium | Sensitive information can be accessed. This information can be used to try to coerce us into not releasing and/or publishing information. Can also be used for smear campaigns and to sue us or our sources.
Intimidation/attack/imprisonment of sources. |
* |
If we use computers in any way (including phones and even photocopiers) we can safely assume we are being recorded. Can lead to identification of sources through other data, our location, phone or email records.
|
high | Intimidation/attack/imprisonment of sources. | * |
It may not be our activities they are interested in, but our reach. An example of this was the Syrian Electronic Army targeting E! Online http://ohnotheydidnt.livejournal.com/77479774.html | medium | Publication of hoax information on content management systems (the news website) and social media accounts | *** |
Legal attacks include direct approaches such as subpoenas demanding that we reveal a source, or court orders to pass over footage, and increasingly might also include indirect approaches, to companies and organisations holding your information. | medium | Physical, social or economic danger to those sources, e.g. losing employment, losing privacy, criminal proceedings, assault. | ** |
Related
- Timeline that is soooo 1984 ...
- Timeline masters of the internet
- Timeline merchants of death
- Threats, detection, protection and (counter) moves