Participation matters

Security means different things to different people. Participation is security is essential for effective planning and adoption of new tools and processes.

Working on my participation badge.

I had a moment on Twitter this week. I was elated to hear that the Girl Scouts of America were offering a cybersecurity badge, and then immediately saddened that it was in partnership with an entirely male-headed organization. Without irony, the article points out that:

“…women are grossly underrepresented in the global cybersecurity industry, making up only 11 percent of the workforce.”

One of the things that the last decade of cybersecurity work has taught me is that not all security is the same. Different people have different security needs. Logical, right?

That logic is actually baked into the security assessments cyber folks perform. Threat modeling — an infosec term for risk assessments that we apply to humans — by nature requires input from the very people who seek security. Typically, a threat model seeks to answer questions about who you are, what you do, where you live, and what makes you a particularly interesting target from the perspective of an attacker.

Essentially, threat models are specific to people. If they aren’t, they’re not effective.

Moreover, while cybersecurity has traditionally been about network security, it is by no means the future of the field, nor its single focus. In the last few years, socially engineered attacks have seen a sharp increase. Ransomware attacks alone increased by 300% from 2015–2016; on average 4,000 ransomware attacks happen daily. Phishing attacks via social media have increased by 500%. And some 60 percent of businesses fell victim to social engineering in 2016.

Socially-engineered attacks are increasingly popular because they’re very effective. All tech we use is built to siphon our data — it’s the business model of every large tech company — and we’ve been trained to submit more and more data, without a second thought. That’s created a hell of a honeypot for would-be hackers; all a hacker needs is one set of login credentials — if even that — to access entire databases of 200 million US voters.

Cybersecurity is about human security. It’s people using technology, not other way around (sorry, Skynet). When we make security plans in a vacuum, we’re making them based on our assumptions and internal biases, and ultimately making them for ourselves — I could never have guessed that a Russian journalist’s biggest concern was his boss’s allegiance to the KGB, or that a having a Facebook profile in Pakistan was enough to get a young woman blackmailed, for example. Security is most worthwhile when its participatory and representational; assuming others’ needs in ineffective at best, and patriarchal or colonial at worst. This is the understanding and vision the Girl Scouts of America seems to lack.

Because I believe this so strongly, I made you two guides that use participation to threat model: the first helps you assess your own security needs; the other teaches you to help your team, organization, or community be safer through participatory processes. If you like these, check out some others. Frontline Defenders also does a threat modeling workbook, with more detail and a specific bent toward human rights activists. Soon our Community Toolkit will be available to help you talk about security with your communities. You know best how to secure yourselves, you’ve been trained your whole lives. I’m just here to fill in some of the security knowledge.

If you found this useful, sign up for our bi-monthly security updates: http://eepurl.com/cCzol9