Risk Assessment

Table of Contents

...Loading Table of Contents...

    In order to know what measures to take in order to be more secure, both digitally and in our day-to-day personal and professional activities, it's important to understand the nature of the risks you face so that you can make the right decisions about how best to stay safe.

    Perhaps without realising it, you make decisions based on risk analysis every day: you may choose not to walk home through a particular neighborhood you consider dangerous, or to lock your office doors when you leave in the evening, to deter thieves. The idea of this section is to consider that same logic, as it applies to your digital activities, both as women human rights defenders and as private people.

    Security and digital security

    Your risk assessment and strategies for staying safe shouldn't just relate to your 'digital lives' but should, of course, also include your personal, physical, organisational and emotional security. Each of us has our own definition of what constitutes 'security'.

    Traditional notions of security would include ideas such as the protection of a state, region, building or information system from external attack. However, while these concepts are quite valid, it is increasingly recognised that 'security' for women human rights defenders can also mean many more things, such as the freedom to carry out your work without restrictions, maintaining physical and mental health, and having the freedom to write and communicate publicly without risk of harassment.

    This guide focuses on one subset of 'security', which we call 'digital security'. Digital security refers to ensuring the ability to use digital information and information systems without interference, disruption, unauthorised access or data collection. That is to say, having control over the storage, communication, use and access of your digital information. Sometimes, you may want to share information publicly in order to stay safe: for example, you may share your location with your friends and support network via text message or a social network if you find yourself being followed. Other times, you may want to keep information secret in order to stay safe: for example, you may encrypt your email conversations with your colleague when organising a meeting, so that the location isn't discovered.

    Which measures you should take to keep yourself and your information safe will depend on your own risk analysis.

    'The Who' and 'The Why'

    In order to understand the risks we face and be able to effectively react, first we should know where they come from; that is to say, who is behind them, and why.

    In order to 'map' the actors relevant to our work and our well-being, we might consider dividing them into three categories:

    • Resisting forces: These are actors who try to prevent us from successfully carrying out our work.
    • Supporting forces: These are our friends and allies, who try to support our project in one way or another.
    • Unknown forces: These are other actors whose exact intentions, with regard to our security and the success of our work, are unknown or ambiguous.

    Resisting forces

    “Violence online and tech-related violence are part of the continuum of gender-based violence. The misogynistic attacks, threats, intimidation, and policing experienced by women are real, harmful, and alarming. It is our collective responsibility as different internet stakeholders to prevent, respond to, and resist this violence." 2

    Unfortunately, as a women human rights defender you cannot always count on the full support of your state, your society, or at times even your family. Your work to defend women's rights is often a direct challenge to power structures, whether in government, society or the family, and directly threatens those who currently wield that power.

    As a women's rights defender, you are often challenging patriarchal structures and demanding rights for equality in areas which have been misappropriated to serve masculine power structures. It can also mean confronting engendered technologies that have been created without conscious regard for women’s rights and gender equality. 3

    This means that a number of different actors may take action against you to hinder or stop your work. In some cases it may be individuals or groups who disagree with women having a voice and opinion online. This can also be on a personal level where intimate partners use pictures and other information to harass, or blackmail you, reinforcing stereotypes and exemplifying gender-based violence.

    Getting a sense of who these actors are will help you to understand the nature of the threats to yourself, your community and your information. Different actors will pose different threats to your security, and indeed your digital security: while the state, for example, may have the capacity to listen to your mobile calls, or place viruses on your computer to monitor your online activities, non-state actors or even common criminals could gather a huge amount of information about you by just monitoring your Facebook page, if everything is open and public. If you think about what you are up against, you can take the right measures to keep them guessing, and keep working.

    Supporting forces

    As part of this 'actor mapping' exercise, you should also consider the actors who are on your side, whether local, regional or international: these could include friends, community members, police, other organisations, embassies and so on. It will be important for you to spread your digital security practices among your allies.

    Unknown forces

    Finally you should also consider the actors whose intentions are unknown, but who are relevant to your safety. An example may be your Internet Service Provider (ISP) or companies such as Facebook or Google, on whom we depend for a lot of our online activities and who may collect and store a lot of information about us. For example, an ISP, social network or e-mail provider could be legally pressured by a government to hand over information such as your browsing history, chat logs or emails. Due to the large amount of information they collect about your activities, they may also be targets for malicious hackers who want to access that information about you.

    Assessing Risk

    Risk refers to possible events, however uncertain, that result in harm.

    You can think of your risk as an interplay of the threats you face, your vulnerabilities, and the capacities you have.

    • Threats refer to a declaration or indication of an intention to inflict harm. The higher the threats, the higher your risk. An example of a threat may be someone breaking into your email account and exposing your contacts, or using your emails as evidence against you.

    • Vulnerabilities refer to any factor which makes it more likely for harm to materialise or result in greater damage. The more vulnerabilities you have, the higher your risk. An example of a vulnerability may be having a very short, simple and easy to break password, like '123456', or your pet's name.

    • Capacities refer to abilities and resources which improve our security. The higher your capacities, the LOWER your risk. An example might be knowing how to create and store long, complex and varied passwords, thus making it very difficult for people to break into your email account.

    It's worth noting that capacities and vulnerabilities are often "two sides of the same coin".

    Identifying threats, capacities and vulnerabilities

    To begin with, as noted above, it's good to consider the threats we face. Threats may be targeted, that is to say, directly or indirectly related to our work; or they may be incidental, that is to say, not related to our work but other factors, such as common delinquency.

    Threats can also be environmental, or structural in nature. Examples of such threats may include data loss due to a power outage, or natural disaster.

    It's a good idea to, on your own or with others, do a brainstorm of the possible threats you face, and consider how they might relate to your use of technology – your mobile phone, your computer, your smartphone, email, social networks, and so on.

    Once you have thought of them, you should isolate them and think of your capacities and vulnerabilities relative to each threat. Capacities and vulnerabilities can fall into a huge number of categories - geographical, social, familial, physical, structural, economic, and others. For the purposes of this guide and your use of it, it may be useful to consider those which relate to your use of technology and digital tools in particular.

    It may help for you to map them out on a matrix, like this:

    ThreatsWho?Digital VulnerabilitiesDigital CapacitiesDigital Capacities Required

    An example for a WHRD might look like this:

    ThreatsWho?Digital VulnerabilitiesDigital CapacitiesDigital Capacities Required
    Office raid, confiscation, legal actionPolice, judiciarySensitive files are not protected, Computers have unregistered copies of windowsBackups are regular and kept outside the officeHiding sensitive information Using Free Software Deleting information securely
    Spread of rumours based on surveillancecorporations, opponents who know your passwordWeak passwordsUse anti-virus SoftwareStrong passwords, changed often, and encrypt communication
    BurglaryLocal delinquentsOld locks on the office doors, organisation smartphones are not kept in a safe placeSmartphones have SIM lock and no social networking appsSmartphone encryption, and a safe place to keep them

    This example is merely for demonstrative purposes and may have nothing in common with your own situation, and for the purposes of this guide, it only focuses on digital security vulnerabilities and capacities, which should only be one part of your risk analysis.

    The Risk Matrix: Probability and Impact

    It may be that you find there are a lot of threats to your work, and it can be difficult to get some perspective on where to begin. In these cases it can be useful to think of the different threats in terms of the probability of their occurrence, and their impact should they occur.

    It might help you to plot them on a 'Risk Matrix' such as this one:

    Probability
    Very High
    High
    Medium
    Low
    ImpactLowMediumHighCatastrophic

    Whether the probability of a certain attack is Low, Medium, High or Very High is a question of your own subjective judgement. It is relatively safe to say that if a certain type of attack has happened to colleagues, friends or other human rights defenders in your context, its probability in your context is at least medium, high or very high.

    Impact is similarly subjective and can really only be judged for yourself. However it's relatively safe to say that any type of attack which, if carried out, would prevent you or your organisation entirely from carrying out your work, its impact is high or catastrophic.

    Plot the threats on the matrix according to your judgement of their probability and impact. An example might look like this:

    Probability
    Very HighConfiscation of materials
    HighBurglary
    MediumEntrapment and AssaultImprisonment
    Low
    ImpactLowMediumHighCatastrophic

    Once you have prioritised the risks to yourself and your work, you can then start to take action to reduce them through building the relevant capacities and integrating them into a security plan.

    Further reading

    • For more information on risk assessment and security planning, including not only digital but physical, organisational and psychological well-being, see the following resources:

    Gender and Tech Manual: Threat Analysis: Introducing Context and Risk Analysis

    Gender and Tech Manual: Threat Analysis: Security Planning

    Gender and Tech Manual: **Threat Analysis: https://gendersec.tacticaltech.org/wiki/index.php/Threat_analysis_-_Situational_analysis**

    Gender and Tech Manual: Threat Analysis: Vision and Actor Mapping

    Front Line Defenders' Workbook on Security for Human Rights Defenders English Arabic

    Protection International's New Protection Manual for Human Rights Defenders, 3rd Edition

    Protection International's Protection Manual for WHRDs

    Electronic Frontier Foundation: Risk Management as part of the Surveillance Self Defence project.

    Front Line Defenders, Kvinna till Kvinna and Urgent Action Fund, Insiste, Resiste, Persiste, Existe - Women Human Rights Defenders Security Strategies