Process Mapping and Risk Modeling

Summary

Purpose

Guiding Questions

Operational Security

Preparation

Outputs

Activities

Footnotes

1 ["CSOs should gradually build a culture in which all staff, regardless of technical background, feel some responsibility for their own digital hygiene. While staff need not become technical experts, CSOs should attempt to raise the awareness of every staff member, from executive directors to interns - groups are only as strong as their weakest link—so that they can spot issues, reduce vulnerabilities, know where to go for further help, and educate others."](https://targetedthreats.net/media/1-ExecutiveSummary.pdf#page=30)

References and resources for Process Mapping and Risk Modeling

Risk Modeling:

Overview: "An Introduction to Threat Modeling" (Surveillance Self-Defense)
Guide: "Risk Assessment" (Workbook on Security: Practical Steps for Human Rights Defenders at Risk - Chapter 2)
Guide: "Threat Assessment: Chapter 2.5 p. 38" (Operational Security Management in Violent Environments (Revised Edition))
Guide: "Defining The Threshold Of Acceptable Risk" (Integrated Security)
Guide: "Guide for Conducting Risk Assessments" (NIST 800-30)
Report: "Risk Thresholds in Humanitarian Assistance" (European Interagency Security Forum)

Threat Modeling Resources (General):

Book: "Threat Modeling: Designing for Security" (Adam Shostack)
Website: "An Introduction to Threat Modeling" (Surveillance Self-Defense)
Article: "Security for Journalists, Part Two: Threat Modeling" (Jonathan Stray)
Guide: "Managing Information Security Risk: Organization, Mission, and Information System View" (NIST)
Guide: "Guide for Conducting Risk Assessments" (NIST)
Activity: "Threat Model Activity" (Tow Center)
Tool: Deciduous Threat Decision Tree Generator Guide | Tool including sample Tree (Kelly Shortridge)

Risk Assessment Activities:

Guide: "Risk Assessment" (Operational Security Management in Violent Environments (Revised Edition) - Chapter 2)
Guide: Risk Assessment (Workbook on Security: Practical Steps for Human Rights Defenders at Risk - Chapter 2)
Book: "Pre-Mortum Strategy" (Sources of Power: How People Make Decisions - p.71)

Threat Assessment Activities:

Guide: "Threat Assessment: Chapter 2.5 p. 38" (Operational Security Management in Violent Environments (Revised Edition))

Example text for introducing threats - Integrated Security

Written exercise: Threats assessment - Integrated Security

Facilitators Manual (With PDF download of "Threat Introduction Example Text" and "Threat Assessment Written Exercises") - Integrated Security

Analyzing Threats: Chapter 3 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

manual: Establishing the threat level of direct attacks (targeting) (Protection Manual for Human Rights Defenders)

Risk Matrix Activities:

Guide: "Defining The Threshold Of Acceptable Risk" (Integrated Security)
Guide: "Risk Analysis: Chapter 2.7 - Operational Security Management in Violent Environments (Revised Edition)" (HPN - Humanitarian Practice Network)

Risk Assessment: Chapter 2 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Alternative Risk Modeling Activities:

Article: ["Operational Security Management in Violent Environments (Revised Edition)

Chapter 2 Risk assessment"](http://www.odihpn.org/index.php?option=com_k2&view=item&layout=item&id=3159) (HPN - Humanitarian Practice Network)

Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Guide: "Risk Assessment For Personal Security" (CPNI - Centre for the Protection of National Infrastructure)s
Guide: "Threat Assessment & the Security Circle" (Frontline Defenders)
Case Study: "Case Study 1 Creating a Security Policy" (Frontline Defenders)