Mitigation Framework

📖
Citizen Clinic
Search…
Welcome to the Citizen Clinic Cybersecurity Education Center
Case Studies
Low-Resource Organizations
Introduction
Section 1: Why do Low-Risk Organizations Need Cybersecurity?
Section 2: Common Cybersecurity Controls
Section 3: Additional Cybersecurity Best Practices
Appendices
Clinic Infrastructure
Virtual Private Network (VPN)
Creating Virtual Identities
Security Evaluation Framework for OSINT Tools
Mitigation Framework
Step 1. Threat Map. Identify potential threat methods for analysis.
​
Subject Type
​
​
Threat Type
Individual
Group Identity
Organization
Direct
Bullying; coordinated targeting; hateful, inflammatory, or embarrassing comments; threats of violence; upsetting content; gendered threats; sustained harassment; mob harassment; sexual harassment; stalking; doxxing; SWATing; and account takeovers/lockouts.
Tactics leveraging social cleavages (for example hate speech or dog whistles) such as race, ethnicity, socioeconomic status or class, gender, sexual orientation, religion, regional or national origin, citizenship status, occupation, employment status, age / generation, education, or political affiliation.
Coordinated targeting to organizational accounts; Denial of service or access to an organization’s content;
Indirect
Spreading of false or misleading information about an individual; defamatory information; disclosure of non-consensual intimate images; impersonation; hateful, inflammatory, or embarrassing comments.
Spreading of false or misleading information about a social group; hate speech directed towards a social group; divisive speech that may be either opposed or supportive of various social groups.
Mass internet shutdowns, establishing seemingly allied organizations to share disingenuous content; establishing opposition organizations to spread opposing viewpoints; imitation of the organization’s online presence(eg, typosquatting).
Ingestion
Persuasion of the individual to believe or biased towards inaccurate information.
Persuasion of groups to believe inaccurate information about other groups, sowing division or apathy or bolstering alliances.
Persuasion of the organization to use inaccurate information in decision making.
Generation
Creation, publishing, or sharing of misinformation, harassment against co-workers and others outside of the organization
Creation and spreading of misinformation; harassment against co-workers and others outside of the organization
Creation / spreading of misinformation, harassment against co-workers and others outside of the organization
Step 2. Harm Map. Connect scenarios to potential harms for the organization or its individuals or groups of individuals.
Individual Harms
​
​
Harms to Self Determination
Definition
​
​
Loss of autonomy
Loss of autonomy includes needless changes in behavior, including self-imposed restrictions on freedom of expression or assembly.
Loss of liberty
Improper exposure to arrest or detainment. Even in democratic societies, false or negative information can lead to increased scrutiny, arrest or, abuse of governmental power.
​
Power imbalance
Information, or threat of disclosure, can create an inappropriate power imbalance or takes unfair advantage of a power imbalance between acquirer and the individual.
​
Physical harm
Actual physical harm to a person, including the potential to cause death.
​
Psychological harm
Information can cause psychological distress to the target such as increased anxiety, fear, and depression, possibly triggering reactions to previous trauma. This distress can also contribute to physical self-harm.
​
Reputational Harms
​
​
​
Loss of trust
The breach of implicit or explicit expectations about the character and behavior between individuals or organizations. Loss of trust can leave entities reluctant to engage in further cooperation.
Stigmatization
Information can create a stigma that can cause embarrassment, emotional distress or discrimination.
​
Economic Harms
​
​
​
Financial losses
Harms due to a result of loss of employment, business relationships, increased government scrutiny, and imprisonment.
Group Harms
​
​
Reputational Harms
​
​
​
Discrimination
Groups within an organization or individuals may be unfairly judged, scrutinized, or excluded based on their actual or perceived group affiliation.
Stigmatization
Information can create a stigma that can cause embarrassment, emotional distress or discrimination of a certain group.
​
Organizational Harms
​
​
Operational Harms
​
​
​
Loss of productivity
Inefficiencies due to decision-making based on inaccurate or misleading information leading to increased delays, false starts on program activities, or time spent sorting and verifying information for accuracy.
Loss of mission impact
Decreased impact due to organizational decision-making, activities that incorporate or promote inaccurate information, or from the influence of competing narratives on the organizations’ supported beneficiaries.
​
Reputational Harms
​
​
​
Loss of trust
Damage to trust with public and private entities such as individuals, partner organizations, funders, government agencies, and other external supporters.
​
Loss of morale
Damage to internal attitudes from individual embarrassment, emotional distress or discrimination due to association with the organization.
Economic Harms
​
​
​
Direct financial losses
Lost time and money spent to counter false information or improve security.
​
Indirect financial losses
Lost funding and business relationships due to reputational damage or lack of productivity.
Step 3. Threat Scenarios. Develop practical description of the threat and challenge assumptions.
​
Probing Questions
Adversary
What is the identity of the adversary responsible for the harmful information?
What are the goals (if any) of an adversary sharing the harmful information?
What resources might an adversary have at their disposal?
Content
Does the content contain personal information?
Does the content threaten or create fear for one’s safety?
What elements of “truth” are contained in the message?
Context
How is the harmful information delivered?
When and how often are interactions taking place?
How might the harmful information affect current events or campaigns?
Audience
Who is the intended recipient of the information?
How could various stakeholders of the organization perceive the harmful information? What social norms might be violated?
How might the audience react to the harmful information?
How might law enforcement or government regulators react to the harmful information, if known?
Legitimacy
What might give this threat legitimacy with an influential audience?
Why might the threat’s message or methods be perceived as normatively acceptable?
How might those information sources already deemed legitimate by certain audiences spread or give additional credibility to the threat?
Who in power may spread or give credibility to the threat?
Impersonation
How might an adversary take over or share information from an account belonging to the target?
How might an adversary convince an audience that their information is being shared with the target’s approval?
How might an adversary bypass any vetting processes intended to ensure representations are made by authentic sources of information?
Linking
How have associates of the target been subject to harmful information threats in the past?
How might publicly disclosed information about associations of the target tie to additional harmful information threats?
How might historical information about the target’s associations and activities be used in combination with the threat?
Amplification
How might an adversary disseminate information to a large audience?
What is the current number of followers or subscribers of the adversary?
How might a harmful message move, intentionally or unintentionally, from less active online forums to more popular platforms?
How has an adversary’s message or similar threats been amplified in the past?
Collection
How might sensitive information about the target be gathered by an adversary?
How might a threat have been able to access, store, or share private information about the target?
How might publicly available information about the target give credibility to a threat?
Suppressing
How might an adversary prevent opposing perspectives from being shared and heard?
Why might the target be unable to use existing their information channels (website, social media accounts, newsletter) to counter the threat?
How might an audience be blocked from accessing the target’s information or counter-messaging?
Step 4: Mitigation Map. Select suitable controls to mitigate potential harms.
Identify
​
​
Identify Harmful Information Risks
​
​
Identify Harmful Information Risks
Identify Potential Threats
Consider threats to individuals, groups, or the organization
Consider direct targeting, indirect attacks, ingestion, and generation
Connect Threats to Potential Harms
Identify the impact of potential threats to individuals, groups, and the organization
Consider physical, reputational, financial harms
​
Create and Prioritize Threat Scenarios
Describe threat scenarios in detail
Evaluate and prioritize scenarios based on likelihood and impact
​
Identify informal practices or formal policies
​
​
Identify informal practices or formal policies
Security (Physical or Digital) or Incident Response
Identify and evaluate the following:
Evaluate security risk management abilities and training.
Consider how psychosocial risks are addressed in the risk assessment / management program.
Improve account security of organizational and personal social media accounts.
Decrease the online availability of personal information about staff members.
Other:
Social Media Use
Identify and evaluate the following:
Acceptable social media use for organizational accounts, including response policy for comments and private messages.
Monitoring protocols for mentions of your organization and staff members in social media, comments, and forums.
How policies consider the subjective experience of online abuse.
Other:
​
Communications and Public Relations strategy
Identify and evaluate the following:
Media literacy and verification processes to avoid sharing and consuming misinformation.
Plans to address potential information threats in advance.
Existing messaging that addresses misinformation directly or offers constructive alternative narratives in outreach to funders and stakeholders
Contacts at social media platforms, media outlets, academia, government, and intermediaries that can support the organization during a crisis
“First page” search results for the organization and its members
Other:
​
Human Resources or Employee Health & Wellness
Identify and evaluate the following:
The ability and experience of members of historically disadvantaged or marginalized groups to report, respond, and recover from harmful information
Reporting and confidential disclosure mechanisms for online and offline abuse
Partnerships with programs offering mental health counseling, trainers, and other resources for victims and subjects of harmful information
Other:
​
Workplace Ethics / Code of Conduct
Identify policies and practices regarding:
Financial accounting
Managing conflict of interests
Political endorsements and advocacy
Whistleblower protections
Other:
​
Evaluate Organizational Culture
​
​
Evaluate Organization’s capacity to address harmful information
Leadership
Identify and evaluate the following:
Buy-in to address concerns of misinformation and online abuse
Openness and transparency on areas for improvement
Other:
Values
Identify and evaluate the following:
Explicit values
Implicit values
Other:
​
Performance
Identify and evaluate the following:
How leadership and staff uphold organizational values
How staff and leadership perform and manage the identified policies or practices
Other:
​
Protect
​
​
Improve Organization-wide Digital Security
​
​
Protect the confidentiality, integrity, and availability of the organization’s and individuals’ information systems
Maintaining confidentiality
Secure accounts (personal & organizational)
Secure devices
Implement network monitoring
Other:
Maintaining availability of information
Implement DoS Protection
Enable Censorship Circumvention
Other:
​
Maintain integrity of information
Enable domain spoofing protection. eg DMARC
Enable DNS Hijacking protection (DNSSEC)
Register similar URLs
Other:
​
Minimize the Availability of Potentially Harmful Information.
​
​
Reducing or obfuscating available open source information on organization or members.
Organizational Data Management
Implement data minimization strategy
Conduct open source audit
Other:
Personal Data Management
Review Old Social Media Posts
Review Social Media Privacy Settings
“Dox Yourself”
Other:
​
Maintain Social Media Management best practices
Create policies for how to engage with legitimate commentators versus “trolls” in public and via private messages.
Maintain social media manager anonymity.
Other:
​
Strengthen Communication Plan and Social Media Policies
​
​
Develop communication plan and social media policies
Create a strategy for when to let harmful information to “die out”, when to counter with direct refutations, or when to promote new narratives.
Create messages in advance.
Connect with a network of journalists and fact-checkers.
Create advertising and automation strategies for messaging amplification.
Other:
​
Maintaining organizational presence and accurate information on authoritative sources of information
Improve web presence and search engine optimization including strengthened networks of supporting sites.
Correct the record on authoritative sources such as Wikipedia
Other:
Detect
​
​
Implement Individual Detection
​
​
Develop individual skills to identify known strategies for creating harmful information
Identify and learn how to react when in potentially compromising situations
Verify the identity of new contacts, online and offline
Familiarize with counterintelligence tradecraft
Avoid discussing politically or culturally sensitive topics with strangers
Other:
Improve media literacy to reduce an organization's susceptibility to its own digestion and spread of misinformation.
Teach source checking
Implement content verification procedures
Other:
​
Implement Organizational Detection
​
​
Develop organizational policies and practice for detecting harmful content
Implement manual content monitoring
Implement and train staff on reporting harmful (or suspected) online information, including seemingly innocuous behavior
Create a plan to relieve subjects of abuse from self-monitoring
Create an emergency plan for manual monitoring of abuse campaigns by staff.
Other:
Implement automatic content monitoring
Set free keyword notification tools such as Google Alerts
Preset filtered feeds in tools such as TweetDeck
Employ social sensing or brand monitoring services
Other:
​
Implement external content monitoring
Collaborate with other organizations to monitor and research developments in misinformation in one’s domain
Create an intake plan for colleagues from other organizations that request help
Other:
​
Respond
​
​
Immediate Response -
​
​
“Top 3 Things”, planned in advance.
Physical Safety and Wellbeing
Train staff for initial shock: “breathe and connect with support, don’t handle this alone”
Plan to move to safety if credible threats
“Better to be safe than sorry” policies
Other:
Digital Security
Conduct Incident Response procedures
Other:
​
Gather Evidence and Stay Aware of Threats
Monitor and Archive (Tweetdeck, Dox Yourself, Hunch.ly, Archive.org, Google Alerts)
Manage manual monitoring of abuse campaigns by co-workers accounting for burn-out.
Other:
​
Next Stage Response
​
​
Prevent Escalation of Harms
Respond to content on Platforms
Engage with platforms or intermediaries for removal of harmful content or automated accounts
Use tools to identify, ignore, and/or block bots/trolls
Other:
Execute Crisis Communication Plan
Engage with supporters and funders to keep them informed
Inform public via media or other outlets (as needed)
Other:
​
Engage legal protections from harassment or threats.
Notify law enforcement authorities if appropriate (SWATing prevention)
Contact legal counsel for jurisdiction-based guidance
Other:
​
Recover
​
​
Improving Safety
​
​
Holistic Recovery
Rebuild Psychological Resilience
Offer multiple avenues for coping
Provide counseling services for employees
Other:
Improve Physical Protections
Reassess physical vulnerabilities at work locations and increase protections as appropriate
Revisit personal security plans for employees
Other:
​
Recover Digital Safety
Reassess digital vulnerabilities and increase protections as appropriate
Other:
​
Repair Information Harms
​
​
​
Refine Communications Plan
Adjust messaging based on counternarratives and situation
Engage with supporters and funders to keep them informed.
Inform public via media or other outlets
Other:
Continue to use Platform-Specific Methods
Search engine optimization
Search result downranking
Content removal processes such as Right to be Forgotten / DMCA.
Other:
​
Seek Legal Remedies
Contact legal counsel for jurisdiction-based guidance
Other:
​
Reassessment
​
​
​
Conduct a Formal After-Event Assessment
Learn how the organization could improve
Learn and validate what people did well
Describe resources that you wish were available.
Other:
Fictional Case Studies
Next - Clinic Curriculum
Condensed Bibliography
Last modified 7mo ago
Copy link
On this page