How to assess your digital security risk

Table of Contents

...Loading Table of Contents...

    In order to know what measures to take in order to be more secure, both digitally and in our day-to-day personal and professional activities, it's important to understand the nature of the risk we face, so that we can make the right decisions about how best to stay safe.

    How to assess your digital security risk

    Perhaps without realising, we take decisions based on risk analyses every day: you may choose not to walk home through a particular neighbourhood you consider dangerous, or to lock your office doors when you leave in the evening, to deter thieves. The idea of this section is to consider that same logic, as it applies to our digital activities, both as human rights defenders and as private people.

    'Security' and 'Digital Security'

    However, our risk assessment and strategies for staying safe shouldn't just relate only to our 'digital lives' but should, of course, also include our personal, physical, organisational and emotional security.

    Each of us has our own definition of what constitutes 'security'. Traditional notions of security would include ideas such as the protection of a state, region, building or information system from external attack. However, while these concepts are quite valid, it is increasingly recognised that 'security' for human rights defenders can also mean many more things, such as the freedom to carry out our work without restrictions, the freedom to travel without fear, physical and mental health, justice and recognition. [1]

    This guide focuses on one subset of 'security', which we call 'digital security'. Digital security refers to ensuring the ability to use digital information and information systems without interference, disruption, unauthorised access or data collection. That is to say, having control over the storage, communication, use and access of our digital information. Sometimes, we may want to share information publicly in order to stay safe: for example, you may share your location with your friends and support network via text message or a social network if you find yourself being followed. Other times, we may want to keep information secret in order to stay safe: for example, we may encrypt our email conversations with our colleagues when organising a meeting, so that the location isn't discovered.

    Which measures you should take to keep yourself and your information safe will depend on your own risk analysis.

    'The Who' and 'The Why'

    In order to understand the risks we face and be able to effectively react, first we should know where they come from; that is to say, who is behind them, and why.

    In order to 'map' the actors relevant to our work and our well-being, we might consider dividing them into three categories:

    • Resisting forces: These are actors who try to prevent us from successfully carrying out our work.
    • Supporting forces: These are our friends and allies, who try to support our project in one way or another.
    • Unknown forces: These are other actors whose exact intentions, with regard to our security and the success of our work, are unknown or ambiguous.

    Resisting forces

    Unfortunately, as human rights defenders, we cannot always count on the full support of our State, our society, or at times even our families. Our work to promote and defend human dignity is often a direct challenge to power structures, whether in government, society or the family, and directly threatens those who currently weild that power. Moreover, as women human rights defenders, or LGBTI human rights defenders, we often challenge long-standing patriarchal, 'cultural' or 'traditional' norms which are jealously guarded by individuals and institutions alike.

    This means that a number of different actors may take action against us to hinder or stop our work. In some cases it may be agents of the State, who often threaten, stigmatise, arrest, detain, mistreat and prosecute human rights defenders. In other cases, it may be social actors – religious institutions or groups, political movements, armed groups, or even family members – who try to prevent us from promoting and defending human rights.

    Getting a sense of who these actors are will help us to understand the nature of the threats to ourselves, our community and our information. Different actors will pose different threats to our security, and indeed our digital security: while the State, for example, may have the capacities to listen to our mobile calls, or place viruses on our computers to monitor our online activities, non-State actors or even common criminals could gather a huge amount of information about us by just monitoring our Facebook page, if everything is open and public. Therefore, if we think about what we are up against, we can take the right measures to keep them guessing and keep working.

    Supporting forces

    As part of this 'actor mapping' exercise, you should also consider the actors who are on your side, whether local, regional or international: these could include friends, community members, police, other organisations, embassies and so on. It will be important for you to spread your digital security practices among your allies.

    Unknown forces

    Finally you should also consider the actors whose intentions are unknown, but who are relevant to your safety. An example may be your Internet Service Provider (ISP) or companies such as Facebook or Google, on whom we depend for a lot of our online activities and who may collect and store a lot of information about us. For example, an ISP, social network or e-mail provider could be legally pressured by a government to hand over information such as your browsing history, chat logs or emails. Due to the large amount of information they collect about your activities, they may also be targets for malicious hackers who want to access that information about you.

    Assessing Risk

    Risk refers to possible events, however uncertain, that result in harm.

    You can think of your risk as an interplay of the threats you face, your vulnerabilities, and the capacities you have.

    • Threats refer to a declaration or indication of an intention to inflict harm. The higher the threats, the higher your risk. An example of a threat may be someone breaking into your email account and exposing your contacts, or using your emails as evidence against you.

    • Vulnerabilities refer to any factor which makes it more likely for harm to materialise or result in greater damage. The more vulnerabilities you have, the higher your risk. An example of a vulnerability may be having a very short, simple and easy to break password, like '123456', or your pet's name.

    • Capacities refer to abilities and resources which improve our security. The higher your capacities, the LOWER your risk. An example might be knowing how to create and store long, complex and varied passwords, thus making it very difficult for people to break into your email account.

    It's worth noting that capacities and vulnerabilities are often "two sides of the same coin".

    Identifying threats, capacities and vulnerabilities

    To begin with, as noted above, it's good to consider the threats we face. Threats may be targeted, that is to say, directly or indirectly related to our work; or they may be incidental, that is to say, not related to our work but other factors, such as common delinquency.

    Threats can also be environmental, or structural in nature. Examples of such threats may include data loss due to a power outage, or natural disaster.

    It's a good idea to, on your own or with others, do a brainstorm of the possible threats you face, and consider how they might relate to your use of technology – your mobile phone, your computer, your smartphone, email, social networks, and so on.

    Once you have thought of them, you should isolate them and think of your capacities and vulnerabilities relative to each threat. Capacities and vulnerabilities can fall into a huge number of categories - geographical, social, familial, physical, structural, economic, and others. For the purposes of this guide and your use of it, it may be useful to consider those which relate to your use of technology and digital tools in particular.

    It may help for you to map them out on a matrix, like this:

    ThreatsWho?Digital VulnerabilitiesDigital CapacitiesDigital Capacities Required

    An example for an LGBT human rights defender might look like this:

    ThreatsWho?Digital VulnerabilitiesDigital CapacitiesDigital Capacities Required
    Office raid, confiscation, legal actionPolice, judiciarySensitive files are not protected, Computers have unregistered copies of windows, LGBT material in browsing historyBackups are regular and kept outside the officeHiding sensitive information Using Free Software Deleting information securely
    Arrest or abduction during demonstrationsHomophobic gangsDating website profile is public, with face picturesAlways carry mobile and text friends where and when I meet someoneSafer use of dating sites
    BurglaryLocal delinquentsOld locks on the office doors, organisation smartphones are not kept in a safe placeSmartphones have SIM lock and no social networking appsSmartphone encryption, and a safe place to keep them

    This example is merely for demonstrative purposes and may have nothing in common with your own situation, and for the purposes of this guide, it only focuses on digital security vulnerabilities and capacities, which should only be one part of your risk analysis.

    The Risk Matrix: Probability and Impact

    It may be that you find there are a lot of threats to your work, and it can be difficult to get some perspective on where to begin. In these cases it can be useful to think of the different threats in terms of the probability of their occurance, and their impact should they occur.

    It might help you to plot them on a 'Risk Matrix' such as this one:

    Probability
    Very High
    High
    Medium
    Low
    ImpactLowMediumHighCatastrophic

    Whether the probability of a certain attack is Low, Medium, High or Very High is a question of your own subjective judgement. It is relatively safe to say that if a certain type of attack has happened to colleagues, friends or other human rights defenders in your context, its probility in your context is at least medium, high or very high.

    Impact is similarly subjective and can really only be judged for yourself. However it's relatively safe to say that any type of attack which, if carried out, would prevent you or your organisation entirely from carrying out your work, its impact is high or catastrophic.

    Plot the threats on the materix according to your judgement of their probability and impact. An example might look like this:

    Probability
    Very HighConfiscation of materials
    HighBurglary
    MediumEntrapment and AssaultImprisonment
    Low
    ImpactLowMediumHighCatastrophic

    Once you have prioritised the risks to yourself and your work, you can then start to take action to reduce them through building the relavent capacities and integrating them into a security plan.

    Further reading

    • For more information on risk assessment and security planning, including not only digital but physical, organisational and psychological well-being, see the following resources:

    Front Line Defenders' Workbook on Security for Human Rights Defenders English Arabic

    Protection International's New Protection Manual for Human Rights Defenders, 3rd Edition

    Protection International's Protection Manual for LGBTI Defenders

    Electronic Frontier Foundation: Risk Management as part of the Surveillance Self Defence project.

    Front Line Defenders, Kvinna till Kvinna and Urgent Action Fund, Insiste, Resiste, Persiste, Existe - Women Human Rights Defenders Security Strategies

    [1] Kvinna till Kvinna, Integrated Security Manual