Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Susan E. McGregor
Columbia Journalism School
@susanemcg / sem2196@columbia.edu
Elizabeth Anne Watkins
Columbia Journalism ...
We all remember the Snowden revelations
And the Sony hack
And the Gawker lawsuit
According to a Pew Research Survey of
investigative journalists conducted in 2014:
● Half did not report using information...
According to a Pew Research Survey of
investigative journalists conducted in 2014:
● 88% reported “decreasing resources in...
Why not?
We approach this
question through the lens
of mental models.
In the words of cognitive psychologist Donald
Norman, mental models are:
“What people really have in their
heads and guide...
We conducted in-depth, semi-structured interviews with
journalists (N = 15) and editors (N = 7) about their security
prefe...
Our results
Like the Pew survey, we found that two overarching themes:
1. Our participants strongly related the need for s...
“It depends on the sector, but not everyone
has sensitive information. We have many
open sources that don’t require any
pa...
“I haven’t really dealt with something that
was life or death. An extra level of security
just didn’t seem necessary.”
“If you were on the national security beat
[security technology] would be really useful.
But I write about domestic social...
“I feel like it depends on how much you think
someone is actively spying on you.”
Security by Obscurity
Taken together, we found that our participants' mental models of security were largely
shaped by two...
Security by Obscurity
In the computer science literature, "security by obscurity" is often highlighted as a
spurious form ...
Limitations of "Security by Obscurity" for Journalists:
Many successful attacks are phishing-based
From the article:
The e...
Limitations of "Security by Obscurity" for Journalists:
Journalists and their organizations are not obscure
"Ok, it's not ...
Why does the
"security by obscurity"
mental model persist?
Understanding journalists' "security by obscurity" stance
We found multiple indicators of why journalists may continue to ...
I’ve been trying to reduce my Dropbox
usage, and so I've been using just a USB
stick or something. Which, I actually have ...
I tried to send an encrypted email to a manager, and
she doesn’t have [encrypted] email. So, it’s available to
our company...
Ways forward
Improving on "security by obscurity" for journalists
A major opportunity in improving the accuracy and efficacy of journal...
My initial response to being prompted to set up two factor authentication
on my personal accounts - like on my Gmail accou...
Susan E. McGregor
Columbia Journalism School
@susanemcg / sem2196@columbia.edu
Elizabeth Anne Watkins
Columbia Journalism ...
Upcoming SlideShare
Loading in …5
×

McGregor Watkins

71 views

Published on

ISOJ 2016

Published in: News & Politics
  • Be the first to comment

  • Be the first to like this

McGregor Watkins

  1. 1. Susan E. McGregor Columbia Journalism School @susanemcg / sem2196@columbia.edu Elizabeth Anne Watkins Columbia Journalism School @watkins_welcome / eaw2198@columbia.edu "Security by Obscurity": Journalists' Mental Models of Information Security
  2. 2. We all remember the Snowden revelations
  3. 3. And the Sony hack
  4. 4. And the Gawker lawsuit
  5. 5. According to a Pew Research Survey of investigative journalists conducted in 2014: ● Half did not report using information security tools in their work ● Less than 40% reported changing their methods of communicating with with sources since the Snowden revelations ● Yet the majority believe that the government has collected data about their communications Yet in the last 3 years, it seems little has changed
  6. 6. According to a Pew Research Survey of investigative journalists conducted in 2014: ● 88% reported “decreasing resources in newsrooms” as the top challenge facing journalists today ● 56% named legal action against journalists as the second Yet in the last 3 years, it seems little has changed
  7. 7. Why not?
  8. 8. We approach this question through the lens of mental models.
  9. 9. In the words of cognitive psychologist Donald Norman, mental models are: “What people really have in their heads and guide their use of things.” A mental model describes the way a person or group thinks about a system or process
  10. 10. We conducted in-depth, semi-structured interviews with journalists (N = 15) and editors (N = 7) about their security preferences, practices and concerns. We then analyzed these interviews using an iterative, grounded-theory process to identify and refine common themes Our research
  11. 11. Our results Like the Pew survey, we found that two overarching themes: 1. Our participants strongly related the need for security to the specific beat, geography or story they were covering. 1. Meeting face-to-face was the most consistently cited tactic for avoiding security issues related to digital communications
  12. 12. “It depends on the sector, but not everyone has sensitive information. We have many open sources that don’t require any particular protection...It’s just in certain cases that one really needs to be careful.”
  13. 13. “I haven’t really dealt with something that was life or death. An extra level of security just didn’t seem necessary.”
  14. 14. “If you were on the national security beat [security technology] would be really useful. But I write about domestic social problems, education, crime, poverty.”
  15. 15. “I feel like it depends on how much you think someone is actively spying on you.”
  16. 16. Security by Obscurity Taken together, we found that our participants' mental models of security were largely shaped by two sets of beliefs: 1. That their own level of information security risk was directly proportional to the likelihood that they were being specifically targeted. This was expressed in repeated references suggesting that security risk was a factor of how conspicuous or controversial their coverage was. Conversely, participants expressed that if they were not being specifically targeted, they felt they faced a lower information security risk. 2. That the primary way to lower their information security risk was to take communications offline altogether, e.g. meet sources and/or colleagues in person. Taken together, we characterize this mental model as "security by obscurity."
  17. 17. Security by Obscurity In the computer science literature, "security by obscurity" is often highlighted as a spurious form of security; e.g. the idea that simply using obscure (or secret) security approaches provides sufficient security. We intentionally co-opt this term to indicate journalists' and organizations' belief that if their work remains sufficiently "low-profile," they do not need to concern themselves with information security. We acknowledge that in both cases, "security by obscurity" can provide some tangible short-term protections. In the long run, however, this approach is not tenable in either discipline.
  18. 18. Limitations of "Security by Obscurity" for Journalists: Many successful attacks are phishing-based From the article: The executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message. [...] In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”
  19. 19. Limitations of "Security by Obscurity" for Journalists: Journalists and their organizations are not obscure "Ok, it's not crazy or megalomaniacal to think that there might be a group of people who are actually trying to crack [our] systems. Right? I mean, we think of ourselves as prestigious...but not a sort of obvious global target newsroom...So I think that really brought home to us, "No, we are a big old target."
  20. 20. Why does the "security by obscurity" mental model persist?
  21. 21. Understanding journalists' "security by obscurity" stance We found multiple indicators of why journalists may continue to employ a "security by obscurity" mental model despite its gaps and inefficiencies: 1. Poor systems models: many participants expressed uncertainty or confusion about how digital communication systems worked and what kind of protections were afforded by particular practices. 2. "Good enough is good enough": in the absence of clear understandings about the mechanisms of digital communications and their implications, most journalists relied on face-to-face meetings for security. Though limiting, this tactic is both reasonably effective and more highly accessible accessible given their other resources.
  22. 22. I’ve been trying to reduce my Dropbox usage, and so I've been using just a USB stick or something. Which, I actually have no idea how safe that is. It seems more safe.
  23. 23. I tried to send an encrypted email to a manager, and she doesn’t have [encrypted] email. So, it’s available to our company…but it hasn’t been a priority for that manager. So I sent a note to her reporter…who was encrypted but was not in the office. So I said, “I’ll walk over and have a conversation with you, because I can’t send you what I would like to send you. I don’t want to put this in writing."
  24. 24. Ways forward
  25. 25. Improving on "security by obscurity" for journalists A major opportunity in improving the accuracy and efficacy of journalists' mental models of security seem possible through better information dissemination and education. 1. The most prominent and highly-detailed coverage of information security issues for journalists focus on specific beats and topics. At least internally, organizations should clearly communicate the existence and origin of attacks. 2. Engage in direct educational efforts to help journalists and other personnel understand how digital communications work - and how certain security precautions function. Anecdotes from participants suggest this is a successful approach.
  26. 26. My initial response to being prompted to set up two factor authentication on my personal accounts - like on my Gmail account or my Facebook or wherever - was deep skepticism, because it just felt like another corporation asking for my phone number...[But] the whole tech team gave kind of a broader and clearer explanation of why it matters, and it didn't just seem like some kind of fishy thing from a faceless corporation, but more like, you know - here's a person I trust who's looking out for my company telling me why this matters for us as a company, and shortly after we went to two factor for the company, you know, I sort of acquiesced to all of the various two-factor requests in the rest of my life as well.
  27. 27. Susan E. McGregor Columbia Journalism School @susanemcg / sem2196@columbia.edu Elizabeth Anne Watkins Columbia Journalism School @watkins_welcome / eaw2198@columbia.edu "Security by Obscurity": Journalists' Mental Models of Information Security

×