# Condensed Bibliography

#### **Introduction to Public Interest Cybersecurity**

Sean Brooks, Center for Long-Term Cybersecurity. “Defending Politically Vulnerable Organizations Online” \[<https://cltc.berkeley.edu/wp-content/uploads/2018/07/CLTC_Defending_PVOs.pdf>]

Citizen Lab’s “About Us” Paper. \[<https://citizenlab.ca/wp-content/uploads/2018/05/18033-Citizen-Lab-booklet-p-E.pdf>]

Citizen Lab’s Security Planner. \[<https://securityplanner.org/>]

Sandro Contenta, Toronto Star. “How these Toronto sleuths are exposing the world’s digital spies while risking their own lives” \[<https://www.thestar.com/news/canada/2019/12/13/from-a-tower-in-toronto-they-watch-the-watchers-how-citizen-lab-sleuths-are-exposing-the-worlds-digital-spies-while-risking-their-own-lives.html>]

Havron et al. "Clinical computer security for victims of intimate partner violence." In Proceedings of the 28th USENIX Security Symposium (pp. 105-122).\[<https://www.nixdell.com/papers/2019-usenix_clinical_security_FULL.pdf>]

Deji Olukotun, Access Now. “Spyware in Mexico: an interview with Luis Fernando García of R3D Mexico” \[<https://www.accessnow.org/spyware-mexico-interview-luis-fernando-garcia-r3d-mexico/>]

Tactical Tech's Annual Report \[<https://cdn.ttc.io/s/tacticaltech.org/Tactical-Tech-2018-Annual-Report.pdf>]

#### **Ethics and the Citizen Clinic Code of Conduct**

Citizen Clinic. "Student Code of Conduct" \[<https://www.citizenclinic.io/Clinic\\_Curriculum/Modules/Ethics/Student\\_Code\\_of\\_Conduct/>]

Shannon Vallor, The Markkula Center for Applied Ethics. “An Introduction to Cybersecurity Ethics” \[<https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf>]

#### **Old School INFOSEC: Basic Controls**

Le Blond et al. “A look at targeted attacks through the lense of an NGO” \[[www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf)]

Sean Brooks, CLTC, TechSoup Webinar. “Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making Practical Improvements.”: \[<https://cltc.berkeley.edu/2019/02/25/cltc-and-citizen-clinic-present-cybersecurity-in-low-risk-organizations-webinar/>]

Citizen Lab’s Security Planner. \[<https://securityplanner.org/>]

Electronic Frontier Foundation’s Surveillance Self-Defense guide. \[<https://ssd.eff.org/>]

Alex Gaynor. “What happens when you type google.com into your browser's address box and press enter?" \[<https://github.com/alex/what-happens-when>]

Rus Shuler. “How Does the Internet Work?” \[[web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm](https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm)]

#### **Digital Surveillance of Politically Vulnerable Organizations: The Threat Landscape**

Stephen Arnold. “Telestrategies - An Interview with Dr. Jerry Lucas” \[<http://www.arnoldit.com/search-wizards-speak/telestrategies-2.html>]

Joseph Cox. “I Gave a Bounty Hunter $300. Then He Located Our Phone” \[<https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile>]

Vernon Silver and Ben Elgin. “Torture in Bahrain Becomes Routine With Help From Nokia Siemens” \[<https://web.archive.org/web/20111006185329/http://www.bloomberg.com/news/2011-08-22/torture-in-bahrain-becomes-routine-with-help-from-nokia-siemens-networking.html>]

John Scott-Railton et al, Citizen Lab. “Bittersweet: Supporters of Mexico’s soda tax targeted with NSO exploit links” \[<https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/>]

#### **Problem Diagnosis and Reframing**

Netgain. “Digital Security and Grantcraft Guide” \[[fordfoundation.org/media/3334/digital-security-grantcraft-guide-v10-final-22317.pdf](https://www.fordfoundation.org/media/3334/digital-security-grantcraft-guide-v10-final-22317.pdf)]

Arthur Turner. “Consulting Is More Than Giving Advice” \[<https://hbr.org/1982/09/consulting-is-more-than-giving-advice>]

Thomas Wedell-Wedellsborg. “Are You Solving the Right Problems?” \[<https://hbr.org/2017/01/are-you-solving-the-right-problems>]

#### **Threat Modeling & Bounding Risk Assessments**

Electronic Frontier Foundation, “Surveillance Self-Defense: Your Security Plan” \[<https://ssd.eff.org/en/playlist/activist-or-protester#your-security-plan>]

NIST SP 800-37 “Risk Management Framework for Information Systems and Organizations.” Chapter 2 only. \[<https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-ipd.pdf> or [Shutdown Mirror](https://github.com/danphilpott/fismapedia-files/blob/master/NIST%20SP%20800-037r2%20Risk%20Management%20Framework%20for%20Information%20Systems%20and%20Organizations;%20A%20System%20Life%20Cycle%20Approach%20for%20Security%20and%20Privacy,%202018-12-20%20\(Final\).pdf)]

NIST SP 800-39 “Managing Information Security Risk.” Chapter 2 only. \[<https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf> or [Shutdown Mirror](https://github.com/danphilpott/fismapedia-files/blob/master/NIST%20SP%20800-039%20Managing%20Information%20Security%20Risk;%20Organization,%20Mission,%20and%20Information%20System%20View,%202011-03-01%20\(Final\).pdf)]

NISTIR 8062 “An Introduction to Privacy Engineering and Risk Management in Federal Systems.” \[<https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf> or [Shutdown Mirror](https://github.com/danphilpott/fismapedia-files/blob/master/NIST%20IR%208062.pdf)]

#### **Contextual & Capacity Research**

SAFETAG, Internews. "SAFETAG Guide" ***Skim to Section 2.2, then read Section 2.2 and Section 2.3.*** \[<https://safetag.org/guide/>]

Read and Explore Examples About PESTLE. *(use an ad-blocker!)* \[<https://pestleanalysis.com/what-is-pestle-analysis/>]

Jorge Luis Sierra. “Digital and Mobile Security for Mexican Journalists and Bloggers” \[<https://freedomhouse.org/sites/default/files/Digital%20and%20Mobile%20Security%20for%20Mexican%20Journalists%20and%20Bloggers.pdf>]

#### **Information Gathering**

Ruba Abu-Salma et al. “Obstacles to the Adoption of Secure Communication Tools” \[<https://ieeexplore.ieee.org/abstract/document/7958575/>]

Jeanette Blomberg et al. "An Ethnographic Approach to Design" \[<https://www.researchgate.net/publication/262363851_An_Ethnographic_Approach_to_Design>]

Jenna Burrell. "The Field Site as a Network: A Strategy for Locating Ethnographic Research" \[<https://doi.org/10.1177/1525822X08329699>]

Collaboration on International ICT Policy in East and Southern Africa. “Safeguarding Civil Society: Assessing Internet Freedom and the Digital Resilience of Civil Society in East Africa” - Read each chapter, but for one country only. \[<https://cipesa.org/?wpfb_dl=237>]

Lofland and Lofland. Read Chapter 5 (66-98) "Logging Data" in "Analyzing social settings: A guide to qualitative observation and analysis" \[<https://searchworks.stanford.edu/view/10531063>]

#### **Open Source Research Methods, Safety, and Tools**

Awesome OSINT \[<https://github.com/jivoi/awesome-osint>]

Ian Barwise. “Open-Source Intelligence (OSINT) Reconnaissance” \[<https://medium.com/@z3roTrust/open-source-intelligence-osint-reconnaissance-75edd7f7dada>]

Conor Fortune, Amnesty International. “Digitally dissecting atrocities – Amnesty International’s open source investigations.” \[<https://www.amnesty.org/en/latest/news/2018/09/digitally-dissecting-atrocities-amnesty-internationals-open-source-investigations/>]

OSINT Framework \[<https://osintframework.com/>]

OSINT.link \[<https://osint.link>]

Travis Lishok, Protective Intelligence. “Part I: An Introduction To OSINT Research For Protective Intelligence Professionals” \[<https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt1>]

Travis Lishok, Protective Intelligence. “Part 2: An Introduction To OSINT Research For Protective Intelligence Professionals” \[<https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt2>]

SECALERTS - Automated Security Audit \[<https://secalerts.co/security-audit>]

Marc Wilson, PCWDLD.com. "OSINT Tools & Software for Passive & Active Recon & Security!" \
\[<https://www.pcwdld.com/osint-tools-and-software>]

#### **Security Law and Policy Factors**

James C. Scott. “Seeing Like a State” - Chapter 9 \[<https://libcom.org/files/Seeing%20Like%20a%20State%20-%20James%20C.%20Scott.pdf>]

Kim Fong et al. “A CRIMSon Tide of Data: An Assessment of Potential Privacy Problems of the Consolidate Records Information Management System” \[<http://people.ischool.berkeley.edu/~strush/CRIMS_FongRowlandTrush_Feb2018.pdf>]

#### **Adversary Persona Development**

Julian Cohen. “Playbook Based Testing.” \[<https://medium.com/@HockeyInJune/playbook-based-testing-5df4b656113a>]

Bill Marczak and John Scott-Railton, Citizen Lab. “Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents” \[<https://citizenlab.ca/2016/05/stealth-falcon/>]

Nick Merrill, Daylight Security Research Lab. "Adversary Personas" \[<https://daylight.berkeley.edu/adversary-personas/>]

Microsoft’s STRIDE and related blog posts. \[<https://cloudblogs.microsoft.com/microsoftsecure/2007/09/11/stride-chart/>]

#### **Threat Scenario Development**

Mitre’s ATT\&CK Wiki. \[<https://attack.mitre.org/>]

Mitre’s PRE-ATT\&CK Techniques. \[<https://attack.mitre.org/techniques/pre/>]

Mitre’s Common Vulnerabilities and Exposures search.\[<https://cve.mitre.org/cve/>]

#### **Changing Security Behaviors**

The Engine Room. “Ties That Bind: Organisational Security for Civil Society” \[<https://www.theengineroom.org/civil-society-digital-security-new-research/>]

Adrienne Porter Felt et al. “Improving SSL Warnings: Comprehension and Adherence” \[<https://dl.acm.org/citation.cfm?id=2702442>]

Francesca Musiani and Ksenia Ermoshina. “What is a Good Secure Messaging Tool? The EFF Secure Messaging Scorecard and the Shaping of Digital (Usable) Security” \[<https://www.westminsterpapers.org/articles/10.16997/wpcc.265/>]

Alma Whitten and Doug Tygar. “Why Johnny Can’t Encrypt” \[<https://www.usenix.org/legacy/publications/library/proceedings/sec99/full_papers/whitten/whitten_html/index.html>]

#### **Social Engineering and Phishing**

Citizen Clinic. "Phishing Simulation Policy" \[<https://www.citizenclinic.io/Clinic\\_Infrastructure/Phishing\\_Simulation/>]

Masashi Crete-Nishihata et al, Citizen Lab. "Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community" [\[https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\]](https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/)]

Micah Lee, The Intercept. “It’s Impossible To Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.” \[<https://theintercept.com/2018/04/28/computer-malware-tampering/>]

Rachel Tobac. Social Proof Security. “How I would Hack You: Social Engineering Step-by-Step” \[<https://www.youtube.com/watch?v=L5J2PgGOLtE>]

#### **Designing Security Training**

Electronic Frontier Foundation. “Am I the Right Person?” [\[https://sec.eff.org/articles/right-person-to-train\]](https://sec.eff.org/articles/right-person-to-train)

Electronic Frontier Foundation. “How to Teach Adults” \[<https://sec.eff.org/articles/how-to-teach-adults>]

Browse the rest of EFF’s Security Education Companion. \[<https://sec.eff.org/>]

Rachel Weidinger et al. “How To Give A Digital Security Training” \[<https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40>]

Rachel Weidinger et al. “Digital Security Training Resources for Security Trainers, Fall 2019 Edition” \[<https://medium.com/cryptofriends/digital-security-training-resources-for-security-trainers-spring-2017-edition-e95d9e50065e>]

#### **Psychosocial Resilience**

Rated R for Resilience resource site. \[<https://sites.google.com/view/ratedr/basics>]

Angela Chen. The Verge. “Moderating content doesn’t have to be so traumatic” \[<https://www.theverge.com/2019/2/27/18243359/content-moderation-mental-health-ptsd-psychology-science-facebook>]

Sam Dubberley and Michele Grant. First Draft. “Journalism and Vicarious Trauma” \[<https://firstdraftnews.org/wp-content/uploads/2017/04/vicarioustrauma.pdf>]

Sarah Jeong, Charlie Warzel, Brianna Wu, Joan Donovan. New York Times. “Everything is GamerGate” \[<https://www.nytimes.com/interactive/2019/08/15/opinion/gamergate-twitter.html>] - **Read all of the four essays.**

#### **Harmful Information (Misinformation and Harassment)**

Tahmina Ansari, First Draft. “This Muslim journalist embraced social media until it ‘ruined’ his life” \[<https://firstdraftnews.org/this-muslim-journalist-embraced-social-media-until-it-ruined-his-life/>]

Nicholas Monaco and Carly Nyst. Institute For The Future. “State-Sponsored Trolling: How Governments Are Deploying Disinformation as Part of Broader Digital Harassment Campaigns”. Read pages 3 to 21 & 45 to 51. \[<http://www.iftf.org/statesponsoredtrolling>]

Sarah Oh and Travis L. Adkins. InterAction. “Disinformation Toolkit.” \[<https://staging.interaction.org/documents/disinformation-toolkit/>]

Cindy Otis. USA Today. “Americans could be a bigger fake news threat than Russians in the 2020 presidential campaign” \[<https://www.usatoday.com/story/opinion/2019/07/19/disinformation-attacks-americans-threaten-2020-election-column/1756092001/>]

Reply All podcast. “#112 The Prophet” Listen to or read transcript. \[<https://www.gimletmedia.com/reply-all/112-the-prophet>]**Introduction to Public Interest Cybersecurity**

Sean Brooks, Center for Long-Term Cybersecurity. “Defending Politically Vulnerable Organizations Online” \[<https://cltc.berkeley.edu/wp-content/uploads/2018/07/CLTC_Defending_PVOs.pdf>]

Citizen Lab’s “About Us” Paper. \[<https://citizenlab.ca/wp-content/uploads/2018/05/18033-Citizen-Lab-booklet-p-E.pdf>]

Citizen Lab’s Security Planner. \[<https://securityplanner.org/>]

Sandro Contenta, Toronto Star. “How these Toronto sleuths are exposing the world’s digital spies while risking their own lives” \[<https://www.thestar.com/news/canada/2019/12/13/from-a-tower-in-toronto-they-watch-the-watchers-how-citizen-lab-sleuths-are-exposing-the-worlds-digital-spies-while-risking-their-own-lives.html>]

Havron et al. "Clinical computer security for victims of intimate partner violence." In Proceedings of the 28th USENIX Security Symposium (pp. 105-122).\[<https://www.nixdell.com/papers/2019-usenix_clinical_security_FULL.pdf>]

Deji Olukotun, Access Now. “Spyware in Mexico: an interview with Luis Fernando García of R3D Mexico” \[<https://www.accessnow.org/spyware-mexico-interview-luis-fernando-garcia-r3d-mexico/>]

Tactical Tech's Annual Report \[<https://cdn.ttc.io/s/tacticaltech.org/Tactical-Tech-2018-Annual-Report.pdf>]

#### **Ethics and the Citizen Clinic Code of Conduct**

Citizen Clinic. "Student Code of Conduct" \[<https://www.citizenclinic.io/Clinic\\_Curriculum/Modules/Ethics/Student\\_Code\\_of\\_Conduct/>]

Shannon Vallor, The Markkula Center for Applied Ethics. “An Introduction to Cybersecurity Ethics” \[<https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf>]

#### **Old School INFOSEC: Basic Controls**

Le Blond et al. “A look at targeted attacks through the lense of an NGO” \[[www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-blond.pdf)]

Sean Brooks, CLTC, TechSoup Webinar. “Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making Practical Improvements.”: \[<https://cltc.berkeley.edu/2019/02/25/cltc-and-citizen-clinic-present-cybersecurity-in-low-risk-organizations-webinar/>]

Citizen Lab’s Security Planner. \[<https://securityplanner.org/>]

Electronic Frontier Foundation’s Surveillance Self-Defense guide. \[<https://ssd.eff.org/>]

Alex Gaynor. “What happens when you type google.com into your browser's address box and press enter?" \[<https://github.com/alex/what-happens-when>]

Rus Shuler. “How Does the Internet Work?” \[[web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm](https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm)]

#### **Digital Surveillance of Politically Vulnerable Organizations: The Threat Landscape**

Stephen Arnold. “Telestrategies - An Interview with Dr. Jerry Lucas” \[<http://www.arnoldit.com/search-wizards-speak/telestrategies-2.html>]

Joseph Cox. “I Gave a Bounty Hunter $300. Then He Located Our Phone” \[<https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile>]

Vernon Silver and Ben Elgin. “Torture in Bahrain Becomes Routine With Help From Nokia Siemens” \[<https://web.archive.org/web/20111006185329/http://www.bloomberg.com/news/2011-08-22/torture-in-bahrain-becomes-routine-with-help-from-nokia-siemens-networking.html>]

John Scott-Railton et al, Citizen Lab. “Bittersweet: Supporters of Mexico’s soda tax targeted with NSO exploit links” \[<https://citizenlab.ca/2017/02/bittersweet-nso-mexico-spyware/>]

#### **Problem Diagnosis and Reframing**

Netgain. “Digital Security and Grantcraft Guide” \[[fordfoundation.org/media/3334/digital-security-grantcraft-guide-v10-final-22317.pdf](https://www.fordfoundation.org/media/3334/digital-security-grantcraft-guide-v10-final-22317.pdf)]

Arthur Turner. “Consulting Is More Than Giving Advice” \[<https://hbr.org/1982/09/consulting-is-more-than-giving-advice>]

Thomas Wedell-Wedellsborg. “Are You Solving the Right Problems?” \[<https://hbr.org/2017/01/are-you-solving-the-right-problems>]

#### **Threat Modeling & Bounding Risk Assessments**

Electronic Frontier Foundation, “Surveillance Self-Defense: Your Security Plan” \[<https://ssd.eff.org/en/playlist/activist-or-protester#your-security-plan>]

NIST SP 800-37 “Risk Management Framework for Information Systems and Organizations.” Chapter 2 only. \[<https://csrc.nist.gov/CSRC/media/Publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-ipd.pdf> or [Shutdown Mirror](https://github.com/danphilpott/fismapedia-files/blob/master/NIST%20SP%20800-037r2%20Risk%20Management%20Framework%20for%20Information%20Systems%20and%20Organizations;%20A%20System%20Life%20Cycle%20Approach%20for%20Security%20and%20Privacy,%202018-12-20%20\(Final\).pdf)]

NIST SP 800-39 “Managing Information Security Risk.” Chapter 2 only. \[<https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf> or [Shutdown Mirror](https://github.com/danphilpott/fismapedia-files/blob/master/NIST%20SP%20800-039%20Managing%20Information%20Security%20Risk;%20Organization,%20Mission,%20and%20Information%20System%20View,%202011-03-01%20\(Final\).pdf)]

NISTIR 8062 “An Introduction to Privacy Engineering and Risk Management in Federal Systems.” \[<https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf> or [Shutdown Mirror](https://github.com/danphilpott/fismapedia-files/blob/master/NIST%20IR%208062.pdf)]

#### **Contextual & Capacity Research**

SAFETAG, Internews. "SAFETAG Guide" ***Skim to Section 2.2, then read Section 2.2 and Section 2.3.*** \[<https://safetag.org/guide/>]

Read and Explore Examples About PESTLE. *(use an ad-blocker!)* \[<https://pestleanalysis.com/what-is-pestle-analysis/>]

Jorge Luis Sierra. “Digital and Mobile Security for Mexican Journalists and Bloggers” \[<https://freedomhouse.org/sites/default/files/Digital%20and%20Mobile%20Security%20for%20Mexican%20Journalists%20and%20Bloggers.pdf>]

#### **Information Gathering**

Ruba Abu-Salma et al. “Obstacles to the Adoption of Secure Communication Tools” \[<https://ieeexplore.ieee.org/abstract/document/7958575/>]

Jeanette Blomberg et al. "An Ethnographic Approach to Design" \[<https://www.researchgate.net/publication/262363851_An_Ethnographic_Approach_to_Design>]

Jenna Burrell. "The Field Site as a Network: A Strategy for Locating Ethnographic Research" \[<https://doi.org/10.1177/1525822X08329699>]

Collaboration on International ICT Policy in East and Southern Africa. “Safeguarding Civil Society: Assessing Internet Freedom and the Digital Resilience of Civil Society in East Africa” - Read each chapter, but for one country only. \[<https://cipesa.org/?wpfb_dl=237>]

Lofland and Lofland. Read Chapter 5 (66-98) "Logging Data" in "Analyzing social settings: A guide to qualitative observation and analysis" \[<https://searchworks.stanford.edu/view/10531063>]

#### **Open Source Research Methods, Safety, and Tools**

Awesome OSINT \[<https://github.com/jivoi/awesome-osint>]

Ian Barwise. “Open-Source Intelligence (OSINT) Reconnaissance” \[<https://medium.com/@z3roTrust/open-source-intelligence-osint-reconnaissance-75edd7f7dada>]

Conor Fortune, Amnesty International. “Digitally dissecting atrocities – Amnesty International’s open source investigations.” \[<https://www.amnesty.org/en/latest/news/2018/09/digitally-dissecting-atrocities-amnesty-internationals-open-source-investigations/>]

OSINT Framework \[<https://osintframework.com/>]

OSINT.link \[<https://osint.link>]

Travis Lishok, Protective Intelligence. “Part I: An Introduction To OSINT Research For Protective Intelligence Professionals” \[<https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt1>]

Travis Lishok, Protective Intelligence. “Part 2: An Introduction To OSINT Research For Protective Intelligence Professionals” \[<https://www.protectiveintelligence.com/blog/osint-intro-for-protective-intelligence-pt2>]

SECALERTS - Automated Security Audit \[<https://secalerts.co/security-audit>]

#### **Security Law and Policy Factors**

James C. Scott. “Seeing Like a State” - Chapter 9 \[<https://libcom.org/files/Seeing%20Like%20a%20State%20-%20James%20C.%20Scott.pdf>]

Kim Fong et al. “A CRIMSon Tide of Data: An Assessment of Potential Privacy Problems of the Consolidate Records Information Management System” \[<http://people.ischool.berkeley.edu/~strush/CRIMS_FongRowlandTrush_Feb2018.pdf>]

#### **Adversary Persona Development**

Julian Cohen. “Playbook Based Testing.” \[<https://medium.com/@HockeyInJune/playbook-based-testing-5df4b656113a>]

Bill Marczak and John Scott-Railton, Citizen Lab. “Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents” \[<https://citizenlab.ca/2016/05/stealth-falcon/>]

Nick Merrill, Daylight Security Research Lab. "Adversary Personas" \[<https://daylight.berkeley.edu/adversary-personas/>]

Microsoft’s STRIDE and related blog posts. \[<https://cloudblogs.microsoft.com/microsoftsecure/2007/09/11/stride-chart/>]

#### **Threat Scenario Development**

Mitre’s ATT\&CK Wiki. \[<https://attack.mitre.org/>]

Mitre’s PRE-ATT\&CK Techniques. \[<https://attack.mitre.org/techniques/pre/>]

Mitre’s Common Vulnerabilities and Exposures search.\[<https://cve.mitre.org/cve/>]

#### **Changing Security Behaviors**

The Engine Room. “Ties That Bind: Organisational Security for Civil Society” \[<https://www.theengineroom.org/civil-society-digital-security-new-research/>]

Adrienne Porter Felt et al. “Improving SSL Warnings: Comprehension and Adherence” \[<https://dl.acm.org/citation.cfm?id=2702442>]

Francesca Musiani and Ksenia Ermoshina. “What is a Good Secure Messaging Tool? The EFF Secure Messaging Scorecard and the Shaping of Digital (Usable) Security” \[<https://www.westminsterpapers.org/articles/10.16997/wpcc.265/>]

Alma Whitten and Doug Tygar. “Why Johnny Can’t Encrypt” \[<https://www.usenix.org/legacy/publications/library/proceedings/sec99/full_papers/whitten/whitten_html/index.html>]

#### **Social Engineering and Phishing**

Citizen Clinic. "Phishing Simulation Policy" \[<https://www.citizenclinic.io/Clinic\\_Infrastructure/Phishing\\_Simulation/>]

Masashi Crete-Nishihata et al, Citizen Lab. "Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community" [\[https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/\]](https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/)]

Micah Lee, The Intercept. “It’s Impossible To Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.” \[<https://theintercept.com/2018/04/28/computer-malware-tampering/>]

Rachel Tobac. Social Proof Security. “How I would Hack You: Social Engineering Step-by-Step” \[<https://www.youtube.com/watch?v=L5J2PgGOLtE>]

#### **Designing Security Training**

Electronic Frontier Foundation. “Am I the Right Person?” [\[https://sec.eff.org/articles/right-person-to-train\]](https://sec.eff.org/articles/right-person-to-train)

Electronic Frontier Foundation. “How to Teach Adults” \[<https://sec.eff.org/articles/how-to-teach-adults>]

Browse the rest of EFF’s Security Education Companion. \[<https://sec.eff.org/>]

Rachel Weidinger et al. “How To Give A Digital Security Training” \[<https://medium.com/@geminiimatt/how-to-give-a-digital-security-training-4c83af667d40>]

Rachel Weidinger et al. “Digital Security Training Resources for Security Trainers, Fall 2019 Edition” \[<https://medium.com/cryptofriends/digital-security-training-resources-for-security-trainers-spring-2017-edition-e95d9e50065e>]

#### **Psychosocial Resilience**

Rated R for Resilience resource site. \[<https://sites.google.com/view/ratedr/basics>]

Angela Chen. The Verge. “Moderating content doesn’t have to be so traumatic” \[<https://www.theverge.com/2019/2/27/18243359/content-moderation-mental-health-ptsd-psychology-science-facebook>]

Sam Dubberley and Michele Grant. First Draft. “Journalism and Vicarious Trauma” \[<https://firstdraftnews.org/wp-content/uploads/2017/04/vicarioustrauma.pdf>]

Sarah Jeong, Charlie Warzel, Brianna Wu, Joan Donovan. New York Times. “Everything is GamerGate” \[<https://www.nytimes.com/interactive/2019/08/15/opinion/gamergate-twitter.html>] - **Read all of the four essays.**

#### **Harmful Information (Misinformation and Harassment)**

Tahmina Ansari, First Draft. “This Muslim journalist embraced social media until it ‘ruined’ his life” \[<https://firstdraftnews.org/this-muslim-journalist-embraced-social-media-until-it-ruined-his-life/>]

Nicholas Monaco and Carly Nyst. Institute For The Future. “State-Sponsored Trolling: How Governments Are Deploying Disinformation as Part of Broader Digital Harassment Campaigns”. Read pages 3 to 21 & 45 to 51. \[<http://www.iftf.org/statesponsoredtrolling>]

Sarah Oh and Travis L. Adkins. InterAction. “Disinformation Toolkit.” \[<https://staging.interaction.org/documents/disinformation-toolkit/>]

Cindy Otis. USA Today. “Americans could be a bigger fake news threat than Russians in the 2020 presidential campaign” \[<https://www.usatoday.com/story/opinion/2019/07/19/disinformation-attacks-americans-threaten-2020-election-column/1756092001/>]

Reply All podcast. “#112 The Prophet” Listen to or read transcript. \[<https://www.gimletmedia.com/reply-all/112-the-prophet>]


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.citizenclinic.io/clinic-curriculum/condensed-bibliography.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.