Overcoming the fear in talking about digital threats and risks

From DevSummit
Revision as of 23:37, 4 May 2015 by Vivian (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Session Title:

Security creates opportunity -“ you don't have to take advantage of it, but it sounds good!

Facilitator: Ali

Topic of the conversation:

How to approach security in a way that does not communicate threat to people, but empowerment.

Round of question to participants:

  • What's something that confuses you when you talk about security? Why are you here?
    • A: I work on how we convey this information to people. How to make it human, not something for machine.
    • B: I worked for 1 year as a security analyst in the UK. Interested in security in a non profit environment.
    • C: How to incorporate security in design? And security in climate disruption and climate resources. And how security relates to personal information, e.g. social media (it's empowering to connect with people via social media, but you're exposing yourself). How to talk with people about security.
    • D: Adoption challenge: we need an opt-in step, to be a standard, which all groups can engage with.
    • E: work for a company making secure apps. How to make the user aware, how to ease into secure use?
    • F: How to talk about security with people who do not work in tech. How to approach data work with marginalized communities securely?

1: Associations

  • Digital Security. we are not digital beings, we have no mechanisms to understand threats in the digital space as human being.
  • Exercise: words you associate with What is Security.
    • safety
    • confidence
    • protection
    • blanket
    • fear mongering
    • minimized risk
    • futility
    • choice
    • responsiveness
    • intelligence
    • empowerment
    • resilience
    • anonymity
    • locks
    • alarm systems
    • key
    • shield
    • door
    • volt
    • envelope
    • cloak
    • Brave Little Toaster
    • trust
    • flexibility
    • relaxation
    • openness
    • authoritarianism
    • control
    • relative
    • vulnerability
    • strength
    • family
    • community
    • punish
    • transformation
  • The purpose of the exercise was to take participants out of the technicalities of the topic. All these (aforementioned) things are much closer to us. Also, this helps us to understand Why is security important for us. A lot of it is perception (of invincibility, safety) -“ it's actually a false sense of security.

2: Which Type of Securitiy?

  • Digital security; Emotional security; Physical security: it's important to understand the interplay between these three things.
  • (Psychologically speaking) Fear response mode alternatives:
    • flight
    • fight
    • freeze
    • tend
    • ignore
    • cope
  • Also, people in fear state do not behave rationally. So, as digital security trainers, is not useful to scare people. We can either 1) make actions for people automatic to be taken (e.g. airplane instructions which you see so many times that in the end it would be automatic to take), 2) actions not even needed to be taken because security is already in place by default, or -“ what else?

3: Step to ground the conversation (with whoever you talk about security with) in

something else than abstraction

  • Approach to help people relate to the topic, also considering cultural context (you might be talking with Western citizens or activists in Middle East).
  • From "The Art of War":
    • know yourself
    • know the adversary
    • know the terrain
  • Yourself: Assets (things that empower you, inventory of what you have): Information can be
    • at rest: docs, financial info, picture hard drive, ID, bank info
    • in motions: e-mail, text, transactions
  • Your Terrain:
  • use Actor Mapping Relationships to map it (you and your info, in relation to your adversary and your allies -“ and their info).
  • So you can determine:
    • what's the likelihood your adversary is going to do something
    • and what's the impact of this?
  • If the impact is low, it's not priority. All the above helps plan prioritization. And that's why it's hard to say "there are 5 things that you can do and then you'll be safe".

4: Collective participants discussion. Key concepts emerged and highlighted.

  • Information as asset. You're creating the assets for yourself, think about them.
  • What are the equivalent of trusted networks in the digital realm? It gets difficult, there's not an exact equivalent to real life trust.
  • Connecting "digital" to "grounded" (physical and emotional) can be useful to explain security. It helps understand, maybe not "encryption" but, "why information (and its privacy) is important to you". It's the first essential step to then talk about tools. The combination of the two approaches -“ 1) making it clear connecting digital to grounded 2) making it frictionless (e.g. using an app like TextSecure) -“ is the ideal approach to explain Security. If you understand how it works, this will get you further. You can be empowered to take your decisions.
  • Security creates opportunity -“ you don't have to take advantage of it, but it sounds good!