This component allows an auditor to lead the host organization's staff in a series of activities to identify and prioritize the processes that are critical for the organization to carry out its work. These activities will also reveal the consequences if those critical processes were interrupted or exposed to a malicious actor. This results in the staff creating a risk matrix which is used as the foundation of the auditor's recommendations.
Having the host organization central to the risk assessment process allows the auditor to put their threats and recommendations into the host's own narrative. With greater ownership of the process the staff will be more engaged in addressing the threats identified when the audit is complete. 1 By engaging as many staff as possible the auditor also is providing a framework for staff to examine future concerns when the auditor is gone. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.
Note: Risk modeling will require a mixed approach of exercises, and the order which you identify each component will vary depending upon the organization.
If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.
Overview: "An Introduction to Threat Modeling" (Surveillance Self-Defense)
Guide: "Risk Assessment" (Workbook on Security: Practical Steps for Human Rights Defenders at Risk - Chapter 2)
Guide: "Threat Assessment: Chapter 2.5 p. 38" (Operational Security Management in Violent Environments (Revised Edition))
Guide: "Defining The Threshold Of Acceptable Risk" (Integrated Security)
Guide: "Guide for Conducting Risk Assessments" (NIST 800-30)
Report: "Risk Thresholds in Humanitarian Assistance" (European Interagency Security Forum)
Threat Modeling Resources (General)
Book: "Threat Modeling: Designing for Security" (Adam Shostack)
Website: "An Introduction to Threat Modeling" (Surveillance Self-Defense)
Article: "Security for Journalists, Part Two: Threat Modeling" (Jonathan Stray)
Guide: "Managing Information Security Risk: Organization, Mission, and Information System View" (NIST)
Guide: "Guide for Conducting Risk Assessments" (NIST)
Activity: "Threat Model Activity" (Tow Center )
Risk Assessment Activities
Guide: "Risk Assessment" (Operational Security Management in Violent Environments (Revised Edition) - Chapter 2)
Guide: Risk Assessment (Workbook on Security: Practical Steps for Human Rights Defenders at Risk - Chapter 2)
Book: "Pre-Mortum Strategy" (Sources of Power: How People Make Decisions - p.71)
Threat Assessment Activities
Example text for introducing threats - Integrated Security
Written exercise: Threats assessment - Integrated Security
Risk Matrix Activities
Guide: "Defining The Threshold Of Acceptable Risk" (Integrated Security)
Guide: "Risk Analysis: Chapter 2.7 - Operational Security Management in Violent Environments (Revised Edition)" (HPN - Humanitarian Practice Network)
Alternative Risk Modeling Activities
Workbook on Security: Practical Steps for Human Rights Defenders at Risk
Guide: "Risk Assessment For Personal Security" (CPNI - Centre for the Protection of National Infrastructure)s
Guide: "Threat Assessment & the Security Circle" (Frontline Defenders)
Case Study: "Case Study 1 Creating a Security Policy" (Frontline Defenders)
undefined
"CSOs should gradually build a culture in which all staff, regardless of technical background, feel some responsibility for their own digital hygiene. While staff need not become technical experts, CSOs should attempt to raise the awareness of every staff member, from executive directors to interns - groups are only as strong as their weakest link—so that they can spot issues, reduce vulnerabilities, know where to go for further help, and educate others."↩