Next Module: Information Gathering
Security does not happen in a bubble. Every security policy, setting, and tool needs to be tailored for the specific context of the organization. Particularly with non-profit organizations that work with fewer resources, under different circumstances, and for different motivations than for-profit or government entities, “industry best practice” and boilerplate policies can actually cause more harm than good. Instead, security assistance providers must consider the context and capacity of their partner organizations, including political, economic, social, technological, legal, and environmental factors both within and beyond the organization.
- Understand how contextual factors can impact an organization’s security
- Understand methods to identify relevant contextual factors
- Understand methods to identify and categorize gaps and assumptions in one’s analysis
- Understand how to use the PESTLE framework
- See Course Readings for “Contextual & Capacity Research”
- Contextual Factors (PESTLE-M) Worksheet
- Contextual Assessment Information Requirements
- What should we search for?
- How do we organize the information we collect?
- What relevant information are we missing?
- What are our assumptions?
Existing frameworks include:
- Frontline Defenders’ Workbook on Security: Practical Steps for Human Rights Defenders at Risk. See CONTEXT ANALYSIS QUESTIONS.
- SAFETAG. https://safetag.org/guide/
How to use SAFETAG:
- A “How-To”
- A checklist
- A list of information resources
SAFETAG (“Guiding Questions” from Section 2.2 “Context”):
- What infrastructural barriers exist in the region?
- What are the top, non-targeted digital threats in this region?
- What are the top targeted digital threats facing organizations doing this work in this region / country?
- Are there legal ramifications to digital security in the country? (e.g. legality of encryption, anonymity tools, etc.)
- Has any organization or individual made specific threats, or demonstrated intention or mindset to attack on the organization or similar organizations?
SAFETAG (“Guiding Questions” from Section 2.3 “Capacity”):
- What is the organization’s ability to adopt new technologies or practices?
- What resources does the organization have available to them?
- What is the environment that the organization works within like? What barriers, threat actors, and other aspects influence their work?
- Are there any specific considerations for the audit that would require modifying the overall approach, tools, preparation steps, or timeline?
PMESII-PT Operational Variables may be seen in some INFOSEC circles. Considers Political, Military, Economic, Social, Infrastructure, Information, Physical Environment, and Time factors, usually in a “crosswalk” matrix with “ASCOPE civil considerations” (Area, Structures, Capabilities, Organizations, People, Events). However, same as in describing threats, we’ll want to avoid adopting militaristic terminology and methods. See example: [Image source: US Marine Corps Training Command]
Especially in the business world, PESTLE (or PEST) may be a good choice for categorizing contextual factors. [Source: Free Templates]
Political, Economic, Social, Technological, Legal, Environment (and sometimes Military) factors can be displayed in a matrix bounded by:
- SWOT: Strength, Weaknesses, Opportunities, Threats
- Time: Past, Present, Future
- Internal (Within Organization’s Control)
- External Factors (Within Organization’s Influence)
- External Factors (Beyond Organization’s Influence)
- In which ways could you discover this information?
- How do you do this securely? Collaboratively?
- What might cause you to stop the process?
** PESTLE Analysis Brief **
- You will create a 10 minute brief on a contextual factor that is relevant to your client’s organization. While you will receive individual credit for this assignment, do collaborate as a team in order to plan, collect, and analyze this information. Requirements
- Planning (As a Team). Create a game plan with your team so that each of your team members’ efforts focus on a relevant PESTLE category of factors. PESTLE M Worksheet
- Create a team collective document / spreadsheet where you can keep a running track of information / sources as you collect them. You will need to maintain this over the course of the semester and you will add to it as you complete your research & interviews with your client.
- Select topics that each team individually will research in breadth (eg. encompass a range of political factors that may affect your client) or in depth (eg. research how a specific data protection law might impact your client). Strive to meaningfully inform the other members of your team about content that is directly relevant to your client’s security posture.
- You may need to perform some initial research as a team to understand what important topics may be to consider. Your client’s website or other bits of information about your client organization may be a great place to start to do this planning – what is their mission? What recent work have they promoted?
- Collection. Seek open source information – this is a broad category that can include books, studies, websites, social media. Do not solely focus on gathering information from your client. This is the time to do your homework on the topic but also to figure out the best way for your team to collect / store this information. Remember: we are at one of the premier research universities in the world. There may be a subject matter expert available at UC Berkeley who can help you navigate a complex topic.
- Analysis. Perform some meaningful analysis on your topic instead of simply recalling information found online. For example, tell us why the education level or types of employees at the organization matter to their cybersecurity or to the Clinic’s work. Focus on providing the answer to “So what? Why does this matter?” when you provide information for your team.