Information Gathering Overview
This module introduces two information gathering methods for practitioners, interviews and surveys. While students may use open source investigative techniques (OSINT) or technical measurement tools during the risk assessment process, much of what you will learn from a partner organization will be directly shared by members of that organization. This module also introduces the advantages, disadvantages, and pitfalls of interviews and surveys.
- Understand the elements of an effective interview.
- Be able to prepare an interview guide.
- Consider the advantages and disadvantages of using interviews and surveys.
- See Course Readings for "Information Gathering"
In Module 7, students will have started a PESTLE analysis. Introduce this module while students are working on their analysis assignments. Have students briefly discuss their research so far.
Provide a recap on contextual/capacity research and PESTLE analysis.
- We need to understand an organization’s context and capacity as these factors greatly influence the organization’s ability to improve their security.
- SAFETAG gives us some guidance, some “how-to,” and online links.
- We still need something to help us plan and organize this “universe” of context.
- PESTLE is a tool to identify
- what stuff we already know
- what stuff we need to learn more about
- what stuff we don’t know yet
- And what stuff we didn’t even consider.
Focusing on information we still need to learn or haven’t even considered:
What are the most effective ways to discover this information?
What is the best approach for discovering “unknown unknowns”?
Beyond open source internet research and technical tools, interviews and surveys are effective methods for gathering information about your client.
Interviews should be more than just data gathering:
- A guided but open-ended conversation exploring a person’s experiences.
- You should be fluid and able to react to new information.
- The interviewee should do the majority (90%) of the talking.
- Be comfortable with brief silence.
Rapport is key * Be active & respectful listeners * Smooth transitions * Professionalism
“Good interviews are like telling good stories” - Steve Fadden’s INFO 213 at UC Berkeley:
- Rapport-Building & Setup
- The “Heart”
- Greetings & Thanks.
- Informed Consent. Even if employee or referral from a client, everyone will be given the opportunity to choose what shall happen to them and their information.
- 3 Elements (from Belmont Report):
- Information: Who you are, what will happen during the interview, how will data be stored & used
- Comprehension: Adapt delivery of info to ensure understanding
- Voluntariness: free of coercion, “end at anytime”, “refuse to answer any question”, ask for permission and will reiterate during interview
Building the “Heart” of the interview guide:
Types of questions.
- Direct: “What types of multi-factor authentication do you use?”
- Sequence: “Walk me through your process to reset a password...”
- Specific Examples: “In the last month, what strange incidents have you experienced with your online accounts?”
- Projection: “What do you think would happen if that information was stolen...”
- Changes Over Time: “What are the differences in online attacks since the election?”
- Exhaustive List: “What are all the devices you use in your office in an average week/day?”
- Tasks and organizational structures: “Can you draw me a diagram of your incident response plan?”
Probing deeper into a “story” or “incident”:
- Time since last experience: “When was the last time you experienced online harassment?”
- Description of experience: “Can you describe that time...”
- Actions taken: “What did you do next... “
- Feelings: “How did you feel when that happened... “
- Outcome: “How did the situation get resolved?”
- Future actions: “If this happened again tomorrow, what would you do...”
Be prepared with common follow-ups
- “5 Why’s”: “Why do you use security keys...”
- Naïve Outsider Perspective: “I’m not familiar with the US’s freedom of information laws, can you explain how you obtain that information?”
- Quantity: “How many of your employees fall into that category?”
- Peer Comparison: “Do your colleagues also use wireless hotspots?”
- Reflecting Back: “So, what I hear you saying is..... is that right?”
- Native Language: “Why did you refer to Facebook as “Spambook”?”
- Clarification: “...when you mentioned ‘probably from the United States’, what threat did you mean exactly?”
- Point to Their Reaction: “Why did you laugh when you said that?”
- Anything that you missed or want to clarify?
- Ask your subject what they thought you should’ve asked
- Any next steps you need to describe?
- Reiterate how you will use this information and provide options for follow-up
- Thank yous
Surveys don’t allow you to interact with the respondent and there may not be much opportunity to clarify or improve survey questions after they have been completed by your client.
- Questions should be unambiguous. For example, asking “what is the version number of your device?” can result in operating system numbers, model numbers, serial numbers. Providing detailed examples or instructions can help.
- Shorter surveys are generally better. Remember the time constraints for your partner.
- Each question should be justified. Consider what is potentially useful information and how will the answers affect your analysis.
- Consider the risks of the survey system and each question. Is there a less riskier way to collect this information? Do we really need this information?
- Other considerations include language, jargon, accessibility, and usability of the survey tool.
Pilot the interview guide or survey with an advisor not on your team or with one employee in the organization.
What do these two questions look like when actually interviewing someone?
- What do you want to protect?: Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.
- Who do you want to protect it from?: Make a list of your adversaries, or those who might want to get a hold of your assets. Your list may include individuals, a government agency, or corporations.” - EFF SSD
Next 15 minutes: Work with a partner and come up with a brief interview guide (3 - 5 questions) to ask a person about their personal threat model. Each pair will pilot their questions with another pair with one student as the interviewer and the other one as an observer.
Reflecting on the last activity, discuss the advantages, disadvantages, and potential pitfalls when using interviews and surveys to gather information from a sensitive population.
Interview Guide. For an upcoming partner interview, students will complete and submit an interview guide for review to the Clinic staff.