If you’ve joined one of our digital security team’s many training sessions, you know that we kick off nearly all of them by covering risk assessment.

What is a risk assessment (or “threat model”)? It’s a way journalists and filmmakers can determine potential digital security challenges and develop strategies to mitigate them. It’s a systematic process for identifying and evaluating the digital assets you own, create, or engage with.

As we work through the risk assessment stages with session participants, we often stress that this tool is extensible, meaning that you can work through this process again and again, perhaps as a first step for covering a new story, or even during each phase of an investigation. Risk will change based on the work you are trying to do and where you are trying to do it.

Here are some questions to think about as you consider your own risk assessment:

My assets: What am I protecting?

The risk assessment begins by considering the assets you use or generate. Examples of assets include, but are not limited to:

  • Devices (e.g., cellphones, computers, and tablets)
  • Communications (e.g., email, texts, social media posts, and DMs)
  • Documents (e.g., tips from sources, field notes, and drafts)
  • Footage (e.g., interviews and b-roll)
  • Browsing data (e.g., search history)

From morning until night, if you are using a device, you are generating an asset of some kind. So one way to start your risk assessment is to take note of everything you do in a day with your phone, computer, and anything else that might store your information.

Once you’ve tracked your activities, see if you can find patterns in the dataset you are building. This can narrow the field to assets you’d like to protect, prioritizing those most important to you (e.g., passwords to accounts containing your personal information or contact information of sensitive sources). Identifying high-priority assets will help you address risks efficiently and (hopefully) without too much stress.

My adversary: Who am I protecting my assets from?

The question of who might be interested in your assets can be tricky. We don’t always know specifically who is behind an exploit. However, based on several decades of evidence, we can offer a few high-level categories of adversaries:

  • Governments foreign and domestic are in the business of collecting and using our data in a variety of ways. There are many recorded cases in which they gain access to privileged information through networked devices, even using targeted exploits specifically aimed at a person or group. Governments also use dragnet surveillance policies that impact nearly everyone using the internet.
  • Corporations are increasingly buying and selling our data for many reasons, from targeted advertising to shopping our personal information for financial gain. Our personal information can also become an asset when companies are bought and sold.
  • Hackers exploit vulnerabilities in systems to gain a foothold, perhaps for ransomware or data exfiltration purposes. Hackers often work in groups and, in certain cases, are sponsored by nation-states.
  • Scammers are ubiquitous, engaging in social engineering with psychological manipulation so you will divulge confidential information or otherwise behave in a way beneficial to them. Venues for these types of attacks include phishing emails, phone calls, and text messages — among other new tactics.
  • Trolls engage in a range of provocative behaviors online, including sharing your personal information (sometimes your address and phone number) to unleash threats that transcend the digital world for the real one.

While journalists are a high-risk group, these adversaries affect most everyone whose information is online. Rest assured, there are lots of steps you can take to protect yourself. Knowledge is power.

The adversary’s resources: What might they be capable of?

The adversaries above focus on specific techniques and capabilities. When we speak in training sessions to journalists, filmmakers, and advocates, we break these down into a couple of categories.

First, government agencies around the world can legally request user information from service providers (e.g., Meta, Google, or your internet service provider). This data is purportedly collected for national security purposes or as a means of gathering evidence in a criminal case. In the United States, journalists have legal protections for information collected during newsgathering.

Second, some adversaries will engage in illegal activities, like hacking networks and systems, to gain unlawful access to sensitive information. They may extort organizations and individuals. They may attempt to trick you into disclosing private information.

In our training sessions, we note that these actors do not distinguish between professional and personal accounts, and in many cases are not above relying on intimidation tactics like online harassment and physical threats.

Likelihood: How big of a risk is this to me now?

The most important question in the risk assessment may be how likely you are to be targeted. We regularly hear about scary new cybersecurity threats. At the same time, we use technologies every day that we aren’t meant to fully understand. It’s no wonder that it can be hard to figure out the likelihood of any given threat against us as individuals.

The risk for journalists depends on a few factors. For instance: What stories are you reporting? Are they particularly sensitive? Would someone in power take umbrage at this coverage, and what means do they have to defend themselves? In addition: What support do you have for your reporting from colleagues in your organization?

Even within the field of journalism, your identity is a factor worth considering. For example, female journalists are far more likely to experience online harassment than their male peers.

My resources: What can I do to protect myself?

As our training sessions with journalists and filmmakers have shown us, it is very possible to establish a set of habits to feel safer and more secure, and to free up some brain space to do good work. Some encouraging news: Dozens of articles across this website offer guidance and considerations to protect yourselves. But given the sheer quantity of high-level, thoughtful, and well-researched advice our team has written, here are a few pathways for further learning.

To protect yourself from hacking and account takeovers, dial in on your account security. Read up on writing solid passwords, using a password manager, choosing and using strong two-factor authentication methods, and staying aware of phishing tactics and techniques.

Safeguard your communications by opting into encrypted channels like Signal and WhatsApp. Here’s a Signal primer and deep dive, and advice on upgrading WhatsApp security. Learn more about encrypting your email messages too.

Limit access to your browsing habits by thoughtfully choosing a browser and understanding the use cases for a virtual private network.

Keep prying eyes out of your source communications by setting up a tipline, while also keeping a keen eye out for malware.

And, of course, to work with us on risk assessment for you or your organization, or to schedule a training for a deeper dive on tools and resources, reach out here.

Since our expertise lies in digital security, and the online and physical world are interconnected in ways we haven’t seen before, we also recommend that, as resources allow, journalists seek out hostile environment and first aid training from organizations including International Women's Media Foundation.