McGregor Watkins

Susan E. McGregorColumbia Journalism School

@susanemcg / [email protected]

Elizabeth Anne WatkinsColumbia Journalism School

@watkins_welcome / [email protected]

"Security by Obscurity": Journalists' Mental

Models of Information Security

We all remember the Snowden revelations

And the Sony hack

And the Gawker lawsuit

According to a Pew Research Survey of investigative journalists conducted in 2014:

● Half did not report using information security tools in their work

● Less than 40% reported changing their methods of communicating with with sources since the Snowden revelations

● Yet the majority believe that the government has collected data about their communications

Yet in the last 3 years, it seems little has changed

According to a Pew Research Survey of investigative journalists conducted in 2014:

● 88% reported “decreasing resources in newsrooms” as the top challenge facing journalists today

● 56% named legal action against journalists as the second

Yet in the last 3 years, it seems little has changed

Why not?

We approach this question through the lens

of mental models.

In the words of cognitive psychologist Donald Norman, mental models are:

“What people really have in their heads and guide their use of things.”

A mental model describes the way a person or group thinks about a system or process

We conducted in-depth, semi-structured interviews with journalists (N = 15) and editors (N = 7) about their security preferences, practices and concerns.

We then analyzed these interviews using an iterative, grounded-theory process to identify and refine common themes

Our research

Our results

Like the Pew survey, we found that two overarching themes:

1. Our participants strongly related the need for security to the specific beat, geography or story they were covering.

2. Meeting face-to-face was the most consistently cited tactic for avoiding security issues related to digital communications

“It depends on the sector, but not everyone has sensitive information. We have many open sources that don’t require any particular protection...It’s just in certain cases that one really needs to be careful.”

“I haven’t really dealt with something that was life or death. An extra level of security just didn’t seem necessary.”

“If you were on the national security beat [security technology] would be really useful. But I write about domestic social problems, education, crime, poverty.”

“I feel like it depends on how much you think someone is actively spying on you.”

Security by Obscurity

Taken together, we found that our participants' mental models of security were largely shaped by two sets of beliefs:

1. That their own level of information security risk was directly proportional to the likelihood that they were being specifically targeted. This was expressed in repeated references suggesting that security risk was a factor of how conspicuous or controversial their coverage was. Conversely, participants expressed that if they were not being specifically targeted, they felt they faced a lower information security risk.

2. That the primary way to lower their information security risk was to take communications offline altogether, e.g. meet sources and/or colleagues in person.

Taken together, we characterize this mental model as "security by obscurity."

Security by Obscurity

In the computer science literature, "security by obscurity" is often highlighted as a spurious form of security; e.g. the idea that simply using obscure (or secret) security approaches provides sufficient security.

We intentionally co-opt this term to indicate journalists' and organizations' belief that if their work remains sufficiently "low-profile," they do not need to concern themselves with information security.

We acknowledge that in both cases, "security by obscurity" can provide some tangible short-term protections. In the long run, however, this approach is not tenable in either discipline.

Limitations of "Security by Obscurity" for Journalists: Many successful attacks are phishing-basedFrom the article:

The executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.

[...]

In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”

Limitations of "Security by Obscurity" for Journalists: Journalists and their organizations are not obscure

"Ok, it's not crazy or megalomaniacal to think that there might be a group of people who are actually trying to crack [our] systems. Right? I mean, we think of ourselves as prestigious...but not a sort of obvious global target newsroom...So I think that really brought home to us, "No, we are a big old target."

Why does the "security by obscurity" mental model persist?

Understanding journalists' "security by obscurity" stance

We found multiple indicators of why journalists may continue to employ a "security by obscurity" mental model despite its gaps and inefficiencies:

1. Poor systems models: many participants expressed uncertainty or confusion about how digital communication systems worked and what kind of protections were afforded by particular practices.

2. "Good enough is good enough": in the absence of clear understandings about the mechanisms of digital communications and their implications, most journalists relied on face-to-face meetings for security. Though limiting, this tactic is both reasonably effective and more highly accessible accessible given their other resources.

I’ve been trying to reduce my Dropbox usage, and so I've been using just a USB stick or something. Which, I actually have no idea how safe that is. It seems more safe.

I tried to send an encrypted email to a manager, and she doesn’t have [encrypted] email. So, it’s available to our company…but it hasn’t been a priority for that manager. So I sent a note to her reporter…who was encrypted but was not in the office. So I said, “I’ll walk over and have a conversation with you, because I can’t send you what I would like to send you. I don’t want to put this in writing."

Ways forward

Improving on "security by obscurity" for journalists

A major opportunity in improving the accuracy and efficacy of journalists' mental models of security seem possible through better information dissemination and education.

1. The most prominent and highly-detailed coverage of information security issues for journalists focus on specific beats and topics. At least internally, organizations should clearly communicate the existence and origin of attacks.

2. Engage in direct educational efforts to help journalists and other personnel understand how digital communications work - and how certain security precautions function. Anecdotes from participants suggest this is a successful approach.

My initial response to being prompted to set up two factor authentication on my personal accounts - like on my Gmail account or my Facebook or wherever - was deep skepticism, because it just felt like another corporation asking for my phone number...[But] the whole tech team gave kind of a broader and clearer explanation of why it matters, and it didn't just seem like some kind of fishy thing from a faceless corporation, but more like, you know - here's a person I trust who's looking out for my company telling me why this matters for us as a company, and shortly after we went to two factor for the company, you know, I sort of acquiesced to all of the various two-factor requests in the rest of my life as well.

Susan E. McGregorColumbia Journalism School

@susanemcg / [email protected]

Elizabeth Anne WatkinsColumbia Journalism School

@watkins_welcome / [email protected]

"Security by Obscurity": Journalists' Mental

Models of Information Security