​​​​​​​Building a bridge between IT experts and activists 

Security concerns are a constant companion in development projects. With the rise of the internet, this now includes digital components such as hacked emails, intercepted calls and lost data that cause security problems for employees. It results in financial challenges. This could be something as simple as a virus, hacker or distracted employee deleting digital files. 

Development organizations have mostly answered these new threats with individual digital security training. They train individuals to create safe passwords, encrypt emails or use the Tor browser to anonymize their internet behavior. While this approach helps raise awareness and provide a glimpse of what people can do on an individual level, some underlying structural problems remain. Activists cannot fix this without the support of IT specialists. 

A hurdle for IT security 

Today, the core barrier to holistic digital security in development cooperation is that organizations with different infrastructure have to work together on short-term projects. But they have neither the funds nor willingness to change their IT systems for this. Big organizations often have dozens of projects running at the same time. 

In many cases, activists who were trained in secure tools such as encrypted emails left the training motivated to change their online behavior, but, once back in the office, they realised that the tool did not work with their IT system. They are unable to implement the tool themselves and their motivation rapidly turns into disappointment. It's like asking people who speak different languages to communicate without teaching them each other's languages or providing a translator. 

Problem first, then the solution 

DW Akademie aims to build a kind of translation bridge between different actors — namely IT specialists, project managers and human rights activists in developing countries. The solution is threat modeling. Rather than being a revolutionary idea, this is a standard approach for people dealing with IT challenges. Yet non-specialists often ignore this basic first step. So what exactly is it? 

Threat modeling is a process to identify concrete risks, prioritize them and find countermeasures. You don't start your thinking with: "Do we have to encrypt our emails?" but rather: "How likely is it that an attacker is interested in our emails and is indeed able to intercept them?" If it is likely, would email encryption counter it? You no longer decide whether a tool is 100% secure — which is impossible — but only whether it is secure enough for a concrete need. 

Avoiding secure tools that aren't used 

Typical end-users, like NGO workers or activists in the field, sometimes argue that such a threat model is not their job. They believe IT specialists should do it — and this is partly true, because these experts have technical knowledge and can recommend tools. 

But specialists have an understanding of technology that could also backfire. A tool they find easy to use might be useless in the daily work of an activist working in a different cultural and financial setting. Interviews and workshops for this project showed that impractical solutions are the core reason why activists and project managers do not use specialist tools. So, while you could let IT experts create a threat model for your project, they may not truly understand the limits and context of your project. There's a high chance that the technology won't help — or worse, the end-user would be forced to use secure technology that they find frustrating to work with.

A step-by-step guide  

To bring end-users and IT departments closer together, DW Akademie and its project partners have developed a step-by-step guide to enable project managers and their teams to make their own threat models. They are guided, for example, to make lists of workflows, define assets they would like to protect, such as social media accounts, and think about potential attackers. 

The core value of the guide should be that the threat model is created in a way that IT specialists can work with – and hopefully better understand –the situation and recommend technology that is both usable and secure. It will be released in Autumn 2020 and will come with an interactive online tool that enables them to create individual security concepts on the basis of a threat model. The threat modeling guide and online tool won't change peoples' behavior straight away, but gives them realistic guidance that enables them to implement a secure IT system.