Threat modeling is foundational to thinking through security broadly, and we therefore introduce it before several other more technical topics. We first encourage the use of physical metaphors (e.g., choosing how and where to lock a bicycle) before introducing digital applications to help beginners understand how they may already create informal threat models in their lives. We then extend this metaphor to the digital realm while conducting the exercise, using the Electronic Frontier Foundation's risk assessment handout.
Note that you will need to print one threat modeling handout in advance for each student.
Prerequisites
(None)
Estimated time
40-45 minutes
Objectives
Upon successful completion of this lesson, students will be able to construct and document a threat model.
Why this matters
Because it's such a useful framing for thinking about security concerns, threat modeling is a foundational concept for all subsequent topics in digital security for journalists. Threat modeling focuses on dissecting a security issue into smaller pieces that can be analyzed. This can help students understand whether they should realistically be concerned about the potential of a security threat, and how to think about the appropriate ways to respond. In this way, threat modeling can help students narrow in on issues worth fixing and how, then shut out the noise, so they can focus on their job.
Homework
(Before class)
- Read this article by the Electronic Frontier Foundation on threat modeling basics: "Your Security Plan"
- Read this article from researchers at Citizen Lab, "The Information Security Cultures of Journalism"
- Read this article from Gus Andrews, "User Personas for Privacy and Security"
Sample slides
Threat modeling (Google Slides)
Activities
Try out a threat modeling exercise with your class. Ask them to imagine one piece of information they'd like to keep for only themselves or their student newsroom. What might they do to protect it?
For this exercise, the Electronic Frontier Foundation offers a helpful handout (let students know they will be asked to share what they wrote down): Threat Modeling Activity Handout (English, Spanish)
Questions for discussion
- Did this exercise help you think of anything unexpected about your security concerns?
- Thinking back to the physical examples of protecting items we examined earlier, what physical items with digital information do you have that you care about most? What are the threats to that item, if any? How do you currently mitigate against them?
- Reflecting on the example you used in this threat modeling handout, did this exercise make you feel more confident, or more conflicted about any of your current digital security practices? Everyone who feels more confident, raise your hand. (Call on students to describe why they might feel that way.)
- Everyone who feels more conflicted, raise your hand. (Call on students to describe why they might feel that way.)