It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Easing your mind with security risk assessment
Normally I’d bring you a story of a specific security risk we’re seeing in the news and talk through what journalists can do to protect themselves in response. But what if there are multiple risks we’re sorting through, and it feels overwhelming? This time, I want to pull up a backward chair and share something I’ve been thinking about a lot lately: how to ground oneself with a risk assessment. I’ve found this very helpful for thinking about what to do next when making digital security decisions, as well as for redirecting my thoughts in a constructive way.
A risk assessment is a systematic way to identify and think specifically about how to protect the information you care about most. It’s easy to spiral and imagine all of the bad things that can happen — instead, steel yourself with a framework for prioritizing the most likely risks and take action.
What you can do
- You have priorities on what to protect — say, source communications, or offering support to the most at-risk people in your orbit. Writing this down may help you think through it more concretely.
- Next, think about what you know about the actor you’re concerned about. What can they do, how likely is that, and what can you do to make their job harder? Prioritize the risks you’re aware of and believe are likely, and put the rest aside. This will help you avoid spiraling and, instead, you can zero in on the places where you should narrow your attention.
- We’re all in a moment that is changing quickly, and while it’s helpful to gather more information and continue to develop your risk assessment, there are diminishing returns on gathering information. (For me, this might manifest in doomscrolling and other behaviors.) Decide when you have enough to act. Action with intention can be very empowering.
- It’s OK not to know everything now. This will be an iterative process. Later, you’ll continue to learn more and continue to develop the risk assessment, and make more high-priority decisions.
- To help you dive deeper, my colleague Davis Erin Anderson wrote a guide to digital security risk assessment. Check it out.
- Based on the priorities you develop in your risk assessment, our 2025 journalist’s security checklist will also help you to think through some possible next steps. Give it a read.
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Martin
–
Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation
