Mitigation Framework – 4 Steps

Step 1. Threat Map. Identify potential threat methods for analysis.

Threat TypeIndividualGroup IdentityOrganization
DirectBullying; coordinated targeting; hateful, inflammatory, or embarrassing comments; threats of violence; upsetting content; gendered threats; sustained harassment; mob harassment; sexual harassment; stalking; doxxing; SWATing; and account takeovers/lockouts.Tactics leveraging social cleavages (for example hate speech or dog whistles) such as race, ethnicity, socioeconomic status or class, gender, sexual orientation, religion, regional or national origin, citizenship status, occupation, employment status, age / generation, education, or political affiliation.Coordinated targeting to organizational accounts; Denial of service or access to an organization’s content.
IndirectSpreading of false or misleading information about an individual; defamatory information; disclosure of non-consensual intimate images; impersonation; hateful, inflammatory, or embarrassing comments.Spreading of false or misleading information about a social group; hate speech directed towards a social group; divisive speech that may be either opposed or supportive of various social groups.Mass internet shutdowns, establishing seemingly allied organizations to share disingenuous content; establishing opposition organizations to spread opposing viewpoints; imitation of the organization’s online presence(eg, typosquatting).
IngestionPersuasion of the individual to believe or biased towards inaccurate information.Persuasion of groups to believe inaccurate information about other groups, sowing division or apathy or bolstering alliances.Persuasion of the organization to use inaccurate information in decision making.
GenerationCreation, publishing, or sharing of misinformation, harassment against co-workers and others outside of the organizationCreation and spreading of misinformation; harassment against co-workers and others outside of the organizationCreation / spreading of misinformation, harassment against co-workers and others outside of the organization

Step 2. Harm Map. Connect scenarios to potential harms for the organization or its individuals or groups of individuals.

Individual Harms

Harm TypesDefinition
Harms to Self Determination
Loss of autonomyLoss of autonomy includes needless changes in behavior, including self-imposed restrictions on freedom of expression or assembly.
Loss of libertyImproper exposure to arrest or detainment. Even in democratic societies, false or negative information can lead to increased scrutiny, arrest or, abuse of governmental power.
Power imbalanceInformation, or threat of disclosure, can create an inappropriate power imbalance or takes unfair advantage of a power imbalance between acquirer and the individual.
Physical harmActual physical harm to a person, including the potential to cause death.
Psychological harmInformation can cause psychological distress to the target such as increased anxiety, fear, and depression, possibly triggering reactions to previous trauma. This distress can also contribute to physical self-harm.
Reputational Harms
Loss of trustThe breach of implicit or explicit expectations about the character and behavior between individuals or organizations. Loss of trust can leave entities reluctant to engage in further cooperation.
StigmatizationInformation can create a stigma that can cause embarrassment, emotional distress or discrimination.
Economic Harms
Financial lossesHarms due to a result of loss of employment, business relationships, increased government scrutiny, and imprisonment.

Group Harms

Harm TypesDefinition
Operational Harms
Loss of productivityInefficiencies due to decision-making based on inaccurate or misleading information leading to increased delays, false starts on program activities, or time spent sorting and verifying information for accuracy.
Loss of mission impactDecreased impact due to organizational decision-making, activities that incorporate or promote inaccurate information, or from the influence of competing narratives on the organizations’ supported beneficiaries.
Reputational Harms
Loss of trustDamage to trust with public and private entities such as individuals, partner organizations, funders, government agencies, and other external supporters.
Loss of moraleDamage to internal attitudes from individual embarrassment, emotional distress or discrimination due to association with the organization.
DiscriminationGroups within an organization or individuals may be unfairly judged, scrutinized, or excluded based on their actual or perceived group affiliation.
StigmatizationInformation can create a stigma that can cause embarrassment, emotional distress or discrimination of a certain group.
Economic Harms
Direct financial lossesLost time and money spent to counter false information or improve security.
Indirect financial lossesLost funding and business relationships due to reputational damage or lack of productivity.

Step 3. Threat Scenarios. Develop practical description of the threat and challenge assumptions.

Probing Questions
AdversaryWhat is the identity of the adversary responsible for the harmful information?

What are the goals (if any) of an adversary sharing the harmful information?

What resources might an adversary have at their disposal?
ContentDoes the content contain personal information?

Does the content threaten or create fear for one’s safety?

What elements of “truth” are contained in the message?
ContextHow is the harmful information delivered?

When and how often are interactions taking place?

How might the harmful information affect current events or campaigns?
AudienceWho is the intended recipient of the information?

How could various stakeholders of the organization perceive the harmful information? What social norms might be violated?

How might the audience react to the harmful information?

How might law enforcement or government regulators react to the harmful information, if known?
LegitimacyWhat might give this threat legitimacy with an influential audience?

Why might the threat’s message or methods be perceived as normatively acceptable?

How might those information sources already deemed legitimate by certain audiences spread or give additional credibility to the threat?

Who in power may spread or give credibility to the threat?
ImpersonationHow might an adversary take over or share information from an account belonging to the target?

How might an adversary convince an audience that their information is being shared with the target’s approval?

How might an adversary bypass any vetting processes intended to ensure representations are made by authentic sources of information?
LinkingHow have associates of the target been subject to harmful information threats in the past?

How might publicly disclosed information about associations of the target tie to additional harmful information threats?

How might historical information about the target’s associations and activities be used in combination with the threat?
AmplificationHow might an adversary disseminate information to a large audience?

What is the current number of followers or subscribers of the adversary?

How might a harmful message move, intentionally or unintentionally, from less active online forums to more popular platforms?

How has an adversary’s message or similar threats been amplified in the past?
CollectionHow might sensitive information about the target be gathered by an adversary?

How might a threat have been able to access, store, or share private information about the target?

How might publicly available information about the target give credibility to a threat?
SuppressingHow might an adversary prevent opposing perspectives from being shared and heard?

Why might the target be unable to use existing their information channels (website, social media accounts, newsletter) to counter the threat?

How might an audience be blocked from accessing the target’s information or counter-messaging?

Step 4: Mitigation Map. Select suitable controls to mitigate potential harms.

Identify Harmful Information Risks
Identify Potential ThreatsConsider threats to individuals, groups, or the organization

Consider direct targeting, indirect attacks, ingestion, and generation
Connect Threats to Potential HarmsIdentify the impact of potential threats to individuals, groups, and the organization

Consider physical, reputational, financial harms
Create and Prioritize Threat ScenariosDescribe threat scenarios in detail

Evaluate and prioritize scenarios based on likelihood and impact
Identify Informal Practices or Formal Policies
Security (Physical or Digital) or Incident ResponseEvaluate security risk management abilities and training.

Consider how psychosocial risks are addressed in the risk assessment / management program.

Improve account security of organizational and personal social media accounts.

Decrease the online availability of personal information about staff members.
Social Media UseEvaluate acceptable social media use for organizational accounts, including response policy for comments and private messages.

Identify monitoring protocols for mentions of your organization and staff members in social media, comments, and forums.

Consider how policies consider the subjective experience of online abuse.
Communications and Public Relations strategyIdentify and evaluate the following:

Media literacy and verification processes to avoid sharing and consuming misinformation.

Plans to address potential information threats in advance.

Existing messaging that addresses misinformation directly or offers constructive alternative narratives in outreach to funders and stakeholders

Contacts at social media platforms, media outlets, academia, government, and intermediaries that can support the organization during a crisis

“First page” search results for the organization and its members
Human Resources or Employee Health & WellnessIdentify and evaluate the following:

The ability and experience of members of historically disadvantaged or marginalized groups to report, respond, and recover from harmful information

Reporting and confidential disclosure mechanisms for online and offline abuse

Partnerships with programs offering mental health counseling, trainers, and other resources for victims and subjects of harmful information
Workplace Ethics / Code of ConductIdentify policies and practices regarding:

Financial accounting

Managing conflict of interests

Political endorsements and advocacy

Whistleblower protections
Evaluate Organizational Culture
Evaluate Organization’s capacity to address harmful informationIdentify and evaluate the following:

Buy-in to address concerns of misinformation and online abuse

Openness and transparency on areas for improvement
ValuesIdentify and evaluate the following:

Explicit values

Implicit values
PerformanceIdentify and evaluate the following:

How leadership and staff uphold organizational values

How staff and leadership perform and manage the identified policies or practices
Improve Organization-Wide Digital Security
Maintaining confidentialitySecure accounts (personal & organizational)

Secure devices

Implement network monitoring
Maintaining availability of informationImplement DoS Protection

Enable Censorship Circumvention
Maintain integrity of informationEnable domain spoofing protection. eg DMARC

Enable DNS Hijacking protection (DNSSEC)

Register similar URLs
Minimize the Availability of Potentially Harmful Information and Strengthen Communication Plan
Organizational Data ManagementImplement data minimization strategy

Conduct open source audit

Reducing or obfuscating available open source information on organization or members
Personal Data ManagementReview Old Social Media Posts

Review Social Media Privacy Settings

“Dox Yourself”
Maintain Social Media Management best practicesCreate policies for how to engage with legitimate commentators versus “trolls” in public and via private messages.

Maintain social media manager anonymity.
Develop communication plan and social media policiesCreate a strategy for when to let harmful information to “die out”, when to counter with direct refutations, or when to promote new narratives.

Create messages in advance.

Connect with a network of journalists and fact-checkers.

Create advertising and automation strategies for messaging amplification.

Improve web presence and search engine optimization including strengthened networks of supporting sites.

Correct the record on authoritative sources such as Wikipedia.
Implement Individual Detection
Develop individual skills to identify known strategies for creating harmful informationVerify the identity of new contacts, online and offline

Familiarize with counterintelligence tradecraft

Avoid discussing politically or culturally sensitive topics with strangers
Improve media literacy to reduce an organization’s susceptibility to its own digestion and spread of misinformation.Teach source checking

Implement content verification procedures
Implement Organizational Detection
Implement manual content monitoringImplement and train staff on reporting harmful (or suspected) online information, including seemingly innocuous behavior

Create a plan to relieve subjects of abuse from self-monitoring

Create an emergency plan for manual monitoring of abuse campaigns by staff.
Implement automatic content monitoringSet free keyword notification tools such as Google Alerts

Preset filtered feeds in tools such as TweetDeck

Employ social sensing or brand monitoring services
Implement external content monitoringCollaborate with other organizations to monitor and research developments in misinformation in one’s domain

Create an intake plan for colleagues from other organizations that request help
Immediate Response
Physical Safety and WellbeingTrain staff for initial shock: “breathe and connect with support, don’t handle this alone”

Plan to move to safety if credible threats

“Better to be safe than sorry” policies
Digital SecurityConduct Incident Response procedures
Gather Evidence and Stay Aware of ThreatsMonitor and Archive (Tweetdeck, Dox Yourself, Hunch.ly, Archive.org, Google Alerts)

Manage manual monitoring of abuse campaigns by co-workers accounting for burn-out.
Next Stage Response
Prevent Escalation of HarmsEngage with platforms or intermediaries for removal of harmful content or automated accounts

Use tools to identify, ignore, and/or block bots/trolls
Execute Crisis Communication PlanEngage with supporters and funders to keep them informed

Inform public via media or other outlets (as needed)
Engage legal protections from harassment or threats.Notify law enforcement authorities if appropriate (SWATing prevention)

Contact legal counsel for jurisdiction-based guidance
Improving Safety
Rebuild Psychological ResilienceOffer multiple avenues for coping

Provide counseling services for employees
Improve Physical ProtectionsReassess physical vulnerabilities at work locations and increase protections as appropriate

Revisit personal security plans for employees
Recover Digital SafetyReassess digital vulnerabilities and increase protections as appropriate
Repair Information Harms
Refine Communications PlanAdjust messaging based on counternarratives and situation

Engage with supporters and funders to keep them informed.

Inform public via media or other outlets
Continue to use Platform-Specific MethodsSearch engine optimization

Search result downranking

Content removal processes such as Right to be Forgotten / DMCA
Seek Legal RemediesContact legal counsel for jurisdiction-based guidance
Reassessment
Conduct a Formal After-Event AssessmentLearn how the organization could improve

Learn and validate what people did well

Describe resources that you wish were available