New research: Why don’t more J-schools teach digital security?

Martin Shelton

Principal Researcher

Jennifer Henrichsen

Yale Information Society Project Fellow

In recent years at Freedom of the Press Foundation — where we have one of the only full-time digital security teams focused on training journalists — we’ve seen firsthand how newsroom demand for security expertise has exploded. So you’d think educating the next generation of journalists about digital security would be a critical part of journalism schools as well. Unfortunately, our research suggests we have a long way to go.

Recently, we presented new and original research on the barriers to digital security education in U.S. J-schools at the 2021 International Communications Association conference.

Just like contemporary newsrooms targeted for hacking and surveillance, student journalists who move to professional newsrooms will be expected to promote their work online. In turn, they will have to worry about communications being monitored by their governments, state-sponsored hackers infiltrating their newsrooms, coordinated harassment campaigns, and much more.

We wanted to know what journalism schools are doing to prepare students for this volatile environment for digital safety. In early 2020[1] we reached out to accredited and provisionally accredited graduate and undergraduate university programs across the U.S. — at the time 106 departments. We contacted department heads, professors focused on technology coursework, and department staff whose roles involve knowledge of the program (e.g., students services specialists), and asked if they offered digital security courses or related coursework. Of the programs we contacted, 43% responded. We also examined the non-responsive programs’ course offerings to learn if they had related listings. Finally, we interviewed 13 instructors and 10 students to learn more about security education at their programs.

Despite the clear need for digital security education, of the responsive programs, roughly one-in-four said they offered digital security education of some kind. When these efforts do take place, typically they are one-time lectures embedded in ongoing coursework, as well as informal, ad hoc workshops. At the time of the study, among accredited and provisionally accredited programs we identified two J-schools — University of Nevada, Reno’s Reynolds School and University of Southern California’s Annenberg School — that offered dedicated digital security courses as electives. (To be clear, there may be others that we lacked visibility into.)

One-off workshops cover digital security fundamentals, such as an introduction to risk assessment techniques, password practices, and encrypted chat tools like Signal. And while these types of seminars — which usually only last 2-3 hours — are a good starting point, students may not retain all of the information taught in a single workshop, given the range of tools and practices introduced in a relatively short time. Likewise, they may not have dedicated time to practice implementing the suggested security practices, and therefore may not develop the experience necessary to incorporate them into their work. Extended courses, by comparison, provide this time and space.

Many professors suggested that their program would have a difficult time accommodating digital security coursework because they already struggle to fit so many topics into their existing program. Each year, industry trends influence how departments prioritize their coursework, and in recent years departments have been pulled into dozens of less-familiar topic areas, such as novel digital media techniques and programming skills, further straining instructors’ time.

J-schools’ education priorities are highly market-driven. Many newsrooms are influencing J-schools to help them develop competencies that will be used in journalistic output, such as podcasting and data reporting. By contrast, digital security is often seen as less critical to the output of reporting—despite its outsized importance.

We also know the Accrediting Council on Education in Journalism and Mass Communications has prioritized a variety of digital media literacy topics, but does not ask departments to require any form of digital security education. Such a requirement would incentivize over a hundred programs to adopt digital security in their curriculum.

Another reason so few programs have digital security offerings is that department leadership is simply not aware of the significance of this problem. We spoke to a few instructors in positions of leadership who said that when they worked in a newsroom, security was not a contemporary issue. Likewise, though many students do have traumatic experiences online, students have not often faced digital attacks specifically in response to their reporting assignments, like the kind they will likely face on the job. With less exposure to security threats seen in newsrooms, these issues are often rendered invisible among faculty.

In other words, J-schools are dealing with significant knowledge gaps and competing incentives. Even when it’s a topic on their radar, J-school programs may not always have the in-house knowledge or the willingness to give this topic the time it needs. You could understand why, then, it’s rare for a program to dedicate more than 1-2 hours to digital security education.

It’s not all doom and gloom, however. A growing number of programs are turning their attention to the need for digital security skills in journalism. For example, the new Craig Newmark Center for Journalism Ethics and Security is making hefty investments in this area.

Likewise, a constellation of educators within and across J-schools are working to advance journalistic security. Susan McGregor is one of the few experts in this area who has studied and instructed on journalistic security in multiple programs at Columbia University. Dr. Gi W. Yun at the Reynolds School of Journalism at the University of Nevada, Reno, with help from the Electronic Frontier Foundation, has developed an innovative course on cybersecurity, privacy, and surveillance. At Freedom of the Press Foundation, we partnered with former national security reporter Marc Ambinder to help devise an exhaustive digital security course for the University of Southern California’s Annenberg School for Communication and Journalism. The people doing this work are few and far between, but they are out there.

We need more of these security champions. In J-schools, security champions advance journalistic security by organizing appropriate expertise (typically by going outside of the department), convincing department leadership it’s worthwhile, and by building sustainable infrastructure, such as external partnerships, funding, and advocating for opportunities to embed these lessons into the broader curriculum. Each program with a digital security offering started with one or more security champions who earned department buy-in.

Though digital security workshops conducted in many J-schools are often ad hoc, they are one of the few places where security education has broken through. Workshops also introduce opportunities to invite in external expertise. For example, at Freedom of the Press Foundation, the digital security team regularly conducts workshops with newsrooms and universities, and in 2020 over 1200 journalists attended at least one of these workshops.

While we think these workshops are vital to working journalists, they aren’t a one-size-fits-all solution. Consider the devices and platforms we use in a given day: cell phones, computers, and tablets of all different brands and models. Then add on top of that the ways we communicate over these devices: calls, emails, text messages, social media, and countless other apps. Those devices and platforms are constantly updating and changing, and the advice on what tools to use changes radically depending on the situation. (For example, the advice you’d give journalists covering national security in the U.S. is sometimes the opposite of what is necessary in Russia.) You can quickly see it would be impossible for journalists to learn everything they need to stay safe in a day or two. A workshop can be a meaningful starting point, but the time needed to reflect on and engage the material is often lacking.

To drive systemic change in security education needed in newsrooms today and in the future, journalism schools would ideally integrate these practices into a digital security curriculum, where students can not only learn the proper tools to use, but more importantly the mindset to think critically through these problems. That way, when the tools change they’ll be able to change with them. This is only possible to do when they have the time and space to take in everything they need to navigate their work in relative safety.

To help instructors get started, later this year Freedom of the Press Foundation will be releasing an exhaustive digital security curriculum with modular lessons on security basics for journalists, which will be free and openly available to the community.

We desperately need more security champions in the field, and universities should be leading the way, instead of following from behind.

--

[1] We contacted universities to learn about their course offerings between February 20 to April 2, 2020, and gathered our interviews between January 29, 2020 to June 2, 2020.

Dr. Martin Shelton is principal researcher at Freedom of the Press Foundation, focused on security and user research.

Dr. Jennifer Henrichsen recently defended her dissertation at the University of Pennsylvania’s Annenberg School of Communication, and she worked with Freedom of the Press Foundation on this research. She is an incoming Assistant Professor at Washington State University in fall 2021.

Image credit: Elisabeth Woldt. CC-BY-NC 2.0

Donate to support press freedom

Your support is more important than ever.