Mitigation Framework
Step 1. Threat Map. Identify potential threat methods for analysis.
Subject Type | |||
Threat Type | Individual | Group Identity | Organization |
Direct | Bullying; coordinated targeting; hateful, inflammatory, or embarrassing comments; threats of violence; upsetting content; gendered threats; sustained harassment; mob harassment; sexual harassment; stalking; doxxing; SWATing; and account takeovers/lockouts. | Tactics leveraging social cleavages (for example hate speech or dog whistles) such as race, ethnicity, socioeconomic status or class, gender, sexual orientation, religion, regional or national origin, citizenship status, occupation, employment status, age / generation, education, or political affiliation. | Coordinated targeting to organizational accounts; Denial of service or access to an organization’s content; |
Indirect | Spreading of false or misleading information about an individual; defamatory information; disclosure of non-consensual intimate images; impersonation; hateful, inflammatory, or embarrassing comments. | Spreading of false or misleading information about a social group; hate speech directed towards a social group; divisive speech that may be either opposed or supportive of various social groups. | Mass internet shutdowns, establishing seemingly allied organizations to share disingenuous content; establishing opposition organizations to spread opposing viewpoints; imitation of the organization’s online presence(eg, typosquatting). |
Ingestion | Persuasion of the individual to believe or biased towards inaccurate information. | Persuasion of groups to believe inaccurate information about other groups, sowing division or apathy or bolstering alliances. | Persuasion of the organization to use inaccurate information in decision making. |
Generation | Creation, publishing, or sharing of misinformation, harassment against co-workers and others outside of the organization | Creation and spreading of misinformation; harassment against co-workers and others outside of the organization | Creation / spreading of misinformation, harassment against co-workers and others outside of the organization |
Step 2. Harm Map. Connect scenarios to potential harms for the organization or its individuals or groups of individuals.
Individual Harms | ||
Harms to Self Determination | Definition | |
Loss of autonomy | Loss of autonomy includes needless changes in behavior, including self-imposed restrictions on freedom of expression or assembly. | |
Loss of liberty | Improper exposure to arrest or detainment. Even in democratic societies, false or negative information can lead to increased scrutiny, arrest or, abuse of governmental power. | |
Power imbalance | Information, or threat of disclosure, can create an inappropriate power imbalance or takes unfair advantage of a power imbalance between acquirer and the individual. | |
Physical harm | Actual physical harm to a person, including the potential to cause death. | |
Psychological harm | Information can cause psychological distress to the target such as increased anxiety, fear, and depression, possibly triggering reactions to previous trauma. This distress can also contribute to physical self-harm. | |
Reputational Harms | ||
Loss of trust | The breach of implicit or explicit expectations about the character and behavior between individuals or organizations. Loss of trust can leave entities reluctant to engage in further cooperation. | |
Stigmatization | Information can create a stigma that can cause embarrassment, emotional distress or discrimination. | |
Economic Harms | ||
Financial losses | Harms due to a result of loss of employment, business relationships, increased government scrutiny, and imprisonment. | |
Group Harms | ||
Reputational Harms | ||
Discrimination | Groups within an organization or individuals may be unfairly judged, scrutinized, or excluded based on their actual or perceived group affiliation. | |
Stigmatization | Information can create a stigma that can cause embarrassment, emotional distress or discrimination of a certain group. | |
Organizational Harms | ||
Operational Harms | ||
Loss of productivity | Inefficiencies due to decision-making based on inaccurate or misleading information leading to increased delays, false starts on program activities, or time spent sorting and verifying information for accuracy. | |
Loss of mission impact | Decreased impact due to organizational decision-making, activities that incorporate or promote inaccurate information, or from the influence of competing narratives on the organizations’ supported beneficiaries. | |
Reputational Harms | ||
Loss of trust | Damage to trust with public and private entities such as individuals, partner organizations, funders, government agencies, and other external supporters. | |
Loss of morale | Damage to internal attitudes from individual embarrassment, emotional distress or discrimination due to association with the organization. | |
Economic Harms | ||
Direct financial losses | Lost time and money spent to counter false information or improve security. | |
Indirect financial losses | Lost funding and business relationships due to reputational damage or lack of productivity. |
Step 3. Threat Scenarios. Develop practical description of the threat and challenge assumptions.
Probing Questions | |
Adversary |
|
Content |
|
Context |
|
Audience |
|
Legitimacy |
|
Impersonation |
|
Linking |
|
Amplification |
|
Collection |
|
Suppressing |
|
Step 4: Mitigation Map. Select suitable controls to mitigate potential harms.
Identify | ||
Identify Harmful Information Risks | ||
Identify Harmful Information Risks | Identify Potential Threats |
|
Connect Threats to Potential Harms |
| |
Create and Prioritize Threat Scenarios |
| |
Identify informal practices or formal policies | ||
Identify informal practices or formal policies | Security (Physical or Digital) or Incident Response | Identify and evaluate the following:
|
Social Media Use | Identify and evaluate the following:
| |
Communications and Public Relations strategy | Identify and evaluate the following:
| |
Human Resources or Employee Health & Wellness | Identify and evaluate the following:
| |
Workplace Ethics / Code of Conduct | Identify policies and practices regarding:
| |
Evaluate Organizational Culture | ||
Evaluate Organization’s capacity to address harmful information | Leadership | Identify and evaluate the following:
|
Values | Identify and evaluate the following:
| |
Performance | Identify and evaluate the following:
|
Protect | ||
Improve Organization-wide Digital Security | ||
Protect the confidentiality, integrity, and availability of the organization’s and individuals’ information systems | Maintaining confidentiality |
|
Maintaining availability of information |
| |
Maintain integrity of information |
| |
Minimize the Availability of Potentially Harmful Information. | ||
Reducing or obfuscating available open source information on organization or members. | Organizational Data Management |
|
Personal Data Management |
| |
Maintain Social Media Management best practices |
| |
Strengthen Communication Plan and Social Media Policies | ||
Develop communication plan and social media policies | Create a strategy for when to let harmful information to “die out”, when to counter with direct refutations, or when to promote new narratives. |
|
Maintaining organizational presence and accurate information on authoritative sources of information |
|
Detect | ||
Implement Individual Detection | ||
Develop individual skills to identify known strategies for creating harmful information | Identify and learn how to react when in potentially compromising situations |
|
Improve media literacy to reduce an organization's susceptibility to its own digestion and spread of misinformation. |
| |
Implement Organizational Detection | ||
Develop organizational policies and practice for detecting harmful content | Implement manual content monitoring |
|
Implement automatic content monitoring |
| |
Implement external content monitoring |
|
Respond | ||
Immediate Response - | ||
“Top 3 Things”, planned in advance. | Physical Safety and Wellbeing |
|
Digital Security |
| |
Gather Evidence and Stay Aware of Threats |
| |
Next Stage Response | ||
Prevent Escalation of Harms | Respond to content on Platforms |
|
Execute Crisis Communication Plan |
| |
Engage legal protections from harassment or threats. |
|
Recover | ||
Improving Safety | ||
Holistic Recovery | Rebuild Psychological Resilience |
|
Improve Physical Protections |
| |
Recover Digital Safety |
| |
Repair Information Harms | ||
Refine Communications Plan |
| |
Continue to use Platform-Specific Methods |
| |
Seek Legal Remedies |
| |
Reassessment | ||
Conduct a Formal After-Event Assessment |
|
Last updated