In 2019 and 2020, we partnered with Internews to identify opportunities and tools for organisational security practitioners at large and the orgsec.community specifically. As we near the end of our collaboration, we’re excited to share tools for orgsec practitioners, security researchers and others.
Below are resources built by community collaboration, desk research, interviews and group discussions. If you have any questions about using any of these, email orgsec@theengineroom.org.
You can learn more about the process of creating these tools in this post from Paola Mosso, who led much of the work.
If you want to learn more about our learnings around measuring and evaluating impact, take a look at this post from Sara Baker.
The Toolkit
Organisational Security Community: Challenges and opportunities for community strengthening
This document provides an overview of the research we conducted, which forms the foundation for the tools below, and opportunities we identified for continued community strengthening.
The research is also available in Spanish: Comunidad de Seguridad Organizacional: Desafíos y oportunidades para el fortalecimiento comunitario.
MONITORING AND EVALUATION FRAMEWORK
This framework is a tool to guide practitioners through assessing the orgsec practices of the organisations they support, both before and after providing support, so they can measure the impact of their work. The framework is designed to measure changes in organisational knowledge, attitude, behavior and condition, giving a clear and comprehensive picture of the achievements and solutions practitioners enable.
This framework is also available in Spanish: Marco de Monitoreo y Evaluación para la Seguridad Organizacional.
❗️ Follow this guide for support using the framework.
CASE STUDIES
These case studies illustrate the consequences of digital attacks against human rights and alternative media organisations, while recommending how such organisations–and practitioners from all backgrounds supporting them–may mitigate digital attacks. They are especially useful for researchers,practitioners and civil society organisations seeking to understand the threats in this space, as well as mitigation tactics conducted by the organisational security community.
TRENDS REPORT
This report outlines an analysis of cases drawn from incidents reported between April 2019 and March 2020 by organisational security practitioners from Eastern Europe, the MENA region and Southeast Asia, as reported in cases provided by Internews and by Access Now’s Digital Security Helpline.
This report demonstrates common threats and relevant patterns, and practitioners’ strategies to respond to attacks. It’s relevant for researchers and practitioners seeking to understand the threats in this space.
ARCHETYPES & CASE STUDIES BUILDING GUIDE
This guide is a tool for practitioners to take in information about a threat or attack and build it into a shareable archetype or case study.
Attack archetypes illustrate threat patterns and scenarios that are commonly seen. They can help human rights organisations identify recommended digital protection practices, based on their organisation’s profile and the type of attacks they are experiencing (or might one day experience due to their profile). You can view attack archetypes few of those common scenarios here:
Malware Watering Hole Spearphishing Mobile Device Compromise Website Compromise
Case studies seek to support practitioners and civil society organisations by illustrating the consequences of attacks and the benefits of deploying mitigation tactics, through a detailed description of a real-world scenario.
EFFICACY MATRIX
This tool visualises mitigation techniques used by practitioners to respond to certain risks in different vectors – such as the organisation’s website, social media accounts or devices. It seeks to help human rights defenders organisations and digital safety experts by supporting them to choose and prioritize mitigation tactics based on observed effectiveness over time.
Looking for More?
We’ve learned a lot from this process and have tried to document our learnings along the way. You can:
- Read about the process of creating these tools
- Dive into how we thought about measuring and evaluating impact
- Review some early opportunities (and challenges) we identified
- Catch up from the beginning and learn more about our orgsec work
Illustrated by Matilde Salinas.