Information Gathering
** Summary **
This module introduces two information gathering methods for practitioners, interviews and surveys. While students may use open source investigative techniques (OSINT) or technical measurement tools during the risk assessment process, much of what you will learn from a partner organization will be directly shared by members of that organization. This module also introduces the advantages, disadvantages, and pitfalls of interviews and surveys.
** Learning Objectives **
Understand the elements of an effective interview.
Be able to prepare an interview guide.
Consider the advantages and disadvantages of using interviews and surveys.
** Pre-Readings **
See Course Readings for "Information Gathering"
** Activities **
In Module 7, students will have started a PESTLE analysis. Introduce this module while students are working on their analysis assignments. Have students briefly discuss their research so far.
** Discussion **
Provide a recap on contextual/capacity research and PESTLE analysis.
We need to understand an organizationâs context and capacity as these factors greatly influence the organizationâs ability to improve their security.
SAFETAG gives us some guidance, some âhow-to,â and online links.
We still need something to help us plan and organize this âuniverseâ of context.
PESTLE is a tool to identify
what stuff we already know
what stuff we need to learn more about
what stuff we donât know yet
And what stuff we didnât even consider.
Focusing on information we still need to learn or havenât even considered:
What are the most effective ways to discover this information?
What is the best approach for discovering âunknown unknownsâ?
** Input **
Beyond open source internet research and technical tools, interviews and surveys are effective methods for gathering information about your client.
Interviews
Interviews should be more than just data gathering:
A guided but open-ended conversation exploring a personâs experiences.
You should be fluid and able to react to new information.
The interviewee should do the majority (90%) of the talking.
Be comfortable with brief silence.
Rapport is key
Be active & respectful listeners
Smooth transitions
Professionalism
âGood interviews are like telling good storiesâ - Steve Faddenâs INFO 213 at UC Berkeley:
Introduction
Rapport-Building & Setup
The âHeartâ
Retrospection
Wrap-up
Introduction.
Greetings & Thanks.
Informed Consent. Even if employee or referral from a client, everyone will be given the opportunity to choose what shall happen to them and their information.
3 Elements (from Belmont Report):
Information: Who you are, what will happen during the interview, how will data be stored & used
Comprehension: Adapt delivery of info to ensure understanding
Voluntariness: free of coercion, âend at anytimeâ, ârefuse to answer any questionâ, ask for permission and will reiterate during interview
Building the âHeartâ of the interview guide:
Types of questions.
Direct: âWhat types of multi-factor authentication do you use?â
Sequence: âWalk me through your process to reset a password...â
Specific Examples: âIn the last month, what strange incidents have you experienced with your online accounts?â
Projection: âWhat do you think would happen if that information was stolen...â
Changes Over Time: âWhat are the differences in online attacks since the election?â
Exhaustive List: âWhat are all the devices you use in your office in an average week/day?â
Tasks and organizational structures: âCan you draw me a diagram of your incident response plan?â
Probing deeper into a âstoryâ or âincidentâ:
Time since last experience: âWhen was the last time you experienced online harassment?â
Description of experience: âCan you describe that time...â
Actions taken: âWhat did you do next... â
Feelings: âHow did you feel when that happened... â
Outcome: âHow did the situation get resolved?â
Future actions: âIf this happened again tomorrow, what would you do...â
Be prepared with common follow-ups
â5 Whyâsâ: âWhy do you use security keys...â
NaĂŻve Outsider Perspective: âIâm not familiar with the USâs freedom of information laws, can you explain how you obtain that information?â
Quantity: âHow many of your employees fall into that category?â
Peer Comparison: âDo your colleagues also use wireless hotspots?â
Reflecting Back: âSo, what I hear you saying is..... is that right?â
Native Language: âWhy did you refer to Facebook as âSpambookâ?â
Clarification: â...when you mentioned âprobably from the United Statesâ, what threat did you mean exactly?â
Point to Their Reaction: âWhy did you laugh when you said that?â
Retrospection
Anything that you missed or want to clarify?
Ask your subject what they thought you shouldâve asked
Wrap-ups
Any next steps you need to describe?
Reiterate how you will use this information and provide options for follow-up
Thank yous
Surveys
Surveys donât allow you to interact with the respondent and there may not be much opportunity to clarify or improve survey questions after they have been completed by your client.
Questions should be unambiguous. For example, asking âwhat is the version number of your device?â can result in operating system numbers, model numbers, serial numbers. Providing detailed examples or instructions can help.
Shorter surveys are generally better. Remember the time constraints for your partner.
Each question should be justified. Consider what is potentially useful information and how will the answers affect your analysis.
Consider the risks of the survey system and each question. Is there a less riskier way to collect this information? Do we really need this information?
Other considerations include language, jargon, accessibility, and usability of the survey tool.
Pilot the interview guide or survey with an advisor not on your team or with one employee in the organization.
** Deepening **
What do these two questions look like when actually interviewing someone?
What do you want to protect?: Make a list of your assets: data that you keep, where itâs kept, who has access to it, and what stops others from accessing it.
Who do you want to protect it from?: Make a list of your adversaries, or those who might want to get a hold of your assets. Your list may include individuals, a government agency, or corporations.â - EFF SSD
Next 15 minutes: Work with a partner and come up with a brief interview guide (3 - 5 questions) to ask a person about their personal threat model. Each pair will pilot their questions with another pair with one student as the interviewer and the other one as an observer.
** Synthesis **
Reflecting on the last activity, discuss the advantages, disadvantages, and potential pitfalls when using interviews and surveys to gather information from a sensitive population.
** Assignments **
Interview Guide. For an upcoming partner interview, students will complete and submit an interview guide for review to the Clinic staff.
Last updated