Difference between revisions of "Threat analysis - Digital Security Indicators"

From Gender and Tech Resources

 
(2 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
|Tutorial category=Discussion
 
|Tutorial category=Discussion
 
|Duration (hours)=75m
 
|Duration (hours)=75m
|Learning objectives=To define and explore security indicators in their current situation. To know best practices around sharing and analysis of security indicators.
+
|Learning objectives=To define and explore security indicators in their current situation.  
 +
To know best practices around sharing and analysis of security indicators.
 
|Prerequisites=Ideally, output from Situational Analysis exercise.
 
|Prerequisites=Ideally, output from Situational Analysis exercise.
A safe and trusting environment must be created wherein people are not blamed for things they are perceived to have not done correctly or not been aware of. If necessary, you cn introduce tools for non-violent communication in order to facilitate sharing of security indicators.
+
 
 +
A safe and trusting environment must be created wherein people are not blamed for things they are perceived to have not done correctly or not been aware of. If necessary, you can introduce tools for non-violent communication in order to facilitate sharing of security indicators.
 
|Methodology=Methodology
 
|Methodology=Methodology
  
Line 12: Line 14:
  
 
Give participants a scenario or series of scenarios wherein a HRD identifies security indicators and takes decisions which keep them safer. Example:
 
Give participants a scenario or series of scenarios wherein a HRD identifies security indicators and takes decisions which keep them safer. Example:
 +
 
''We noticed taxis started parking outside our office. Staff would often take these taxis rather than going to the nearest taxi rank as usual. The taxi drivers started conversations with the passengers, asking what they had been doing that day. Our organisation regularly met with other organisations to discuss their work and security issues. At the next meeting, we mentioned this security incident. Members of the other organisations present then realised that taxis had also started parking outside their offices too. We concluded that the authorities were either using taxi drivers to collect information on us, or had planted security personnel as taxi drivers. Our organisations then decided that the safest response would be to pretend we had not noticed , but we warned the staff not to say anything about their work in the taxis but instead to chat about harmelss issues.''
 
''We noticed taxis started parking outside our office. Staff would often take these taxis rather than going to the nearest taxi rank as usual. The taxi drivers started conversations with the passengers, asking what they had been doing that day. Our organisation regularly met with other organisations to discuss their work and security issues. At the next meeting, we mentioned this security incident. Members of the other organisations present then realised that taxis had also started parking outside their offices too. We concluded that the authorities were either using taxi drivers to collect information on us, or had planted security personnel as taxi drivers. Our organisations then decided that the safest response would be to pretend we had not noticed , but we warned the staff not to say anything about their work in the taxis but instead to chat about harmelss issues.''
  
Example from the Front Line Defenders Workbook on Security https://www.frontlinedefenders.org/files/workbook_eng.pdf  
+
[https://www.frontlinedefenders.org/files/workbook_eng.pdf Example from the Front Line Defenders Workbook on Security]
  
 
== Discussion (10 minutes) ==
 
== Discussion (10 minutes) ==
Line 20: Line 23:
 
Ask participants:  What were the best practices here by the HRDs? Finding taxis outside the office suspicious may seem like paranoia: how did they check whether they were paranoid?  In your opinion, did they make the right decision to continue using the taxis?  
 
Ask participants:  What were the best practices here by the HRDs? Finding taxis outside the office suspicious may seem like paranoia: how did they check whether they were paranoid?  In your opinion, did they make the right decision to continue using the taxis?  
 
Do you have any similar experiences to share?
 
Do you have any similar experiences to share?
 
''Input.'' What the HRDs have done in this scenario is a great example of noting, sharing and analysing security indicators, in order to make decisions about security.
 
  
 
== Input (15 minutes) ==
 
== Input (15 minutes) ==
  
Security indicators are anything out of the ordinary that we notice which may have an effect on our security. They are sometimes called security incidents, although they do not have to refer to concrete events.
+
Security indicators are anything out of the ordinary that we notice which may have an effect on our security. They are sometimes called security incidents, although they do not have to refer to concrete events. We can identify security indicators at various different moments in our daily life and work. Examples of these  include:  
 
+
We can identify security indicators at various different moments in our daily life and work. Examples of these  include:
+
 
1. Receiving a letter from the authorities about an impending search of the office
 
1. Receiving a letter from the authorities about an impending search of the office
 
2. Someone taking a picture of you in a public place
 
2. Someone taking a picture of you in a public place
Line 37: Line 36:
 
Furthermore, the behaviour of our electronic devices can also change and indicate to us that they may be compromised. Consider what indicators might alarm us to: a virus infection or someone breaking into our email accounts.
 
Furthermore, the behaviour of our electronic devices can also change and indicate to us that they may be compromised. Consider what indicators might alarm us to: a virus infection or someone breaking into our email accounts.
  
The most important thing to do with security indicators is to record them and share them. Analysing them jointly is a good way to check our perceptions and jointly decide if a response is required.
+
The most important thing to do with security indicators is to record them and share them. Analysing them jointly is a good way to check our perceptions and jointly decide if a response is required. Security indicators can also be positive indicators, that we are doing things right and taking effective security measures.  
If it's useful, introduce an example file for recording security indicators (below).
+
REMEMBER: Security indicators can also be positive indicators, that we are doing things right and taking effective security measures. For example: Noting that authorities begin to act in protection of other HRDs in your region more effectively; Decreasing crime rates in an area where you work; Noting that your stress levels are lower and you are more alert than before to your security situation.  
+
  
 
== Deepening: Recording and Sharing Security Indicators (30 minutes) ==
 
== Deepening: Recording and Sharing Security Indicators (30 minutes) ==
Line 45: Line 42:
 
''For organisations''
 
''For organisations''
  
'''Step 1.''' Participants return (if possible) to the map of the trends in their context over the previous 12 months (see: [https://gendersec.tacticaltech.org/wiki/index.php/Threat_analysis_-_Situational_analysis Situational Analysis]) and add any attacks or other security-related events which have affected them during this period.  
+
Participants return (if possible) to the map of the trends in their context over the previous 12 months (see: [https://gendersec.tacticaltech.org/wiki/index.php/Threat_analysis_-_Situational_analysis Situational Analysis]) and add any attacks or other security-related events which have affected them during this period. Participants form one small group per incident identified, or organise into small groups according to their area of work or other affinities within the organisation. The task is for them to focus on a given security event they have suffered and share any security indicators that they can remember which may have alerted them to the event previously. They share and record the events in writing on an example format (provided) if they want to. Remind participants of the definition of security indicators. Each group reports back to the larger group on the security indicators they identified.
 
+
'''Step 2.''' Participants form one small group per incident identified, or organise into small groups according to their area of work or other affinities within the organisation.
+
+
'''Step 3.''' The task is for them to focus on a given security event they have suffered and share any security indicators that they can remember which may have alerted them to the event previously. They share and record the events in writing on an example format (provided) if they want to. Remind participants of the definition of security indicators.
+
+
'''Step 4.''' Each group reports back to the larger group on the security indicators they identified.
+
  
 
''For mixed Groups''
 
''For mixed Groups''
  
 
Divide the group into pairs and  tell participants they are going to be security consultants for one another. They will interview one another about one previous attack or security event which they have experienced and try to help one another identify the security indicators which did or may have alerted them to something being wrong. Each participant takes 5-10 minutes to explain the event to their partner. Their partner can then ask them questions or simply listen for 10 further minutes about the security indicators around the event. Together, they fill in a sample register of security indicators, and then swap roles.
 
Divide the group into pairs and  tell participants they are going to be security consultants for one another. They will interview one another about one previous attack or security event which they have experienced and try to help one another identify the security indicators which did or may have alerted them to something being wrong. Each participant takes 5-10 minutes to explain the event to their partner. Their partner can then ask them questions or simply listen for 10 further minutes about the security indicators around the event. Together, they fill in a sample register of security indicators, and then swap roles.
 
''Further reflection''
 
  
 
'''Discussion'''. Ask participants: What spaces have they made in the past for sharing and analysing security indicators? How can they integrate space for this into their current workflow? Could it be on the agenda at regular meetings? How will they do it during particular activities?  
 
'''Discussion'''. Ask participants: What spaces have they made in the past for sharing and analysing security indicators? How can they integrate space for this into their current workflow? Could it be on the agenda at regular meetings? How will they do it during particular activities?  
Line 76: Line 65:
 
|Theoretical and on line resources=Holistic Security Guide
 
|Theoretical and on line resources=Holistic Security Guide
  
Front Line Defenders Workbook on Security https://www.frontlinedefenders.org/files/workbook_eng.pdf
+
[https://www.frontlinedefenders.org/files/workbook_eng.pdf Front Line Defenders Workbook on Security]
  
Protection International Manual http://protectioninternational.org/publication/new-protection-manual-for-human-rights-defenders-3rd-edition/
+
[http://protectioninternational.org/publication/new-protection-manual-for-human-rights-defenders-3rd-edition/ Protection International Manual]
 
}}
 
}}

Latest revision as of 12:54, 27 August 2015

Title of the tutorial Security Indicators: sharing and analysis
Attributions
Kind of learning session Holistic
Tutorial category Discussion
Duration (hours) 75m
"m" can not be assigned to a declared number type with value 75.
Learning objectives To define and explore security indicators in their current situation.

To know best practices around sharing and analysis of security indicators.

Prerequisites Ideally, output from Situational Analysis exercise.

A safe and trusting environment must be created wherein people are not blamed for things they are perceived to have not done correctly or not been aware of. If necessary, you can introduce tools for non-violent communication in order to facilitate sharing of security indicators.

Methodology [[Methodology::Methodology

Activity (10 minutes)

Give participants a scenario or series of scenarios wherein a HRD identifies security indicators and takes decisions which keep them safer. Example:

We noticed taxis started parking outside our office. Staff would often take these taxis rather than going to the nearest taxi rank as usual. The taxi drivers started conversations with the passengers, asking what they had been doing that day. Our organisation regularly met with other organisations to discuss their work and security issues. At the next meeting, we mentioned this security incident. Members of the other organisations present then realised that taxis had also started parking outside their offices too. We concluded that the authorities were either using taxi drivers to collect information on us, or had planted security personnel as taxi drivers. Our organisations then decided that the safest response would be to pretend we had not noticed , but we warned the staff not to say anything about their work in the taxis but instead to chat about harmelss issues.

Example from the Front Line Defenders Workbook on Security

Discussion (10 minutes)

Ask participants: What were the best practices here by the HRDs? Finding taxis outside the office suspicious may seem like paranoia: how did they check whether they were paranoid? In your opinion, did they make the right decision to continue using the taxis? Do you have any similar experiences to share?

Input (15 minutes)

Security indicators are anything out of the ordinary that we notice which may have an effect on our security. They are sometimes called security incidents, although they do not have to refer to concrete events. We can identify security indicators at various different moments in our daily life and work. Examples of these include: 1. Receiving a letter from the authorities about an impending search of the office 2. Someone taking a picture of you in a public place 3. Not being able to concentrate and forgetting to lock the door to the office 4. Many unexpected pop-up windows opening when browsing the internet 5. Feeling exhausted even after a good night’s sleep

We may be quite used to perceiving security indicators in our environments, but we can also look for them inside our physical and emotional experiences which may indicate that we're close to burning ourselves out. Consider what kind of physical sensations, thoughts or mental states might be indicators of stress, fatigue, or burnout for example? Furthermore, the behaviour of our electronic devices can also change and indicate to us that they may be compromised. Consider what indicators might alarm us to: a virus infection or someone breaking into our email accounts.

The most important thing to do with security indicators is to record them and share them. Analysing them jointly is a good way to check our perceptions and jointly decide if a response is required. Security indicators can also be positive indicators, that we are doing things right and taking effective security measures.

Deepening: Recording and Sharing Security Indicators (30 minutes)

For organisations

Participants return (if possible) to the map of the trends in their context over the previous 12 months (see: Situational Analysis) and add any attacks or other security-related events which have affected them during this period. Participants form one small group per incident identified, or organise into small groups according to their area of work or other affinities within the organisation. The task is for them to focus on a given security event they have suffered and share any security indicators that they can remember which may have alerted them to the event previously. They share and record the events in writing on an example format (provided) if they want to. Remind participants of the definition of security indicators. Each group reports back to the larger group on the security indicators they identified.

For mixed Groups

Divide the group into pairs and tell participants they are going to be security consultants for one another. They will interview one another about one previous attack or security event which they have experienced and try to help one another identify the security indicators which did or may have alerted them to something being wrong. Each participant takes 5-10 minutes to explain the event to their partner. Their partner can then ask them questions or simply listen for 10 further minutes about the security indicators around the event. Together, they fill in a sample register of security indicators, and then swap roles.

Discussion. Ask participants: What spaces have they made in the past for sharing and analysing security indicators? How can they integrate space for this into their current workflow? Could it be on the agenda at regular meetings? How will they do it during particular activities? Ask participants to reflect on their own organisation and what would be the best way to record Security Indicators, analyse them and take action where necessary, for example: someone designated to keep a security indicators record book ; someone tasked with highlighting need for joint analysis of security indicators; what would be an effective and realistic decision making process to decide of reaction is necessary i.e. who should be part of this, how are these decisions and their implementation documented for organizational learning); this proposal could go into the planning/moving forward session at the end of the training.

Synthesis

Security indicators are very useful in alerting us to potential threats to our security. If they are properly noted, shared and analyzed, they can help us take preventive action.

Encourage participants or share best practices to identify an organisational way for dealing with security indicators (where is it recorded, how is it shared, with whom, who is analyzing them and decides upon reaction,)

While we have a physiological instinct for noting some indicators, others are less clear and we need to look for them more actively as a part of our routine.

Since our memory can be challenged by overworking and stress, it's a good idea to maintain a written record of security indicators which facilitates sharing and maintenance of historical memory relevant to security in organisations.]]

Number of facilitators involved 1
Technical needs Flipchart
Theoretical and on line resources [[Theoretical and on line resources::Holistic Security Guide

Front Line Defenders Workbook on Security

Protection International Manual]]