Persona based training matrix

Wiki ▸ Security culture ▸ Persona-based training matrix

This page introduces a persona-based framework with which to approach information (infosec), operations (opsec), and especially communications security (comsec).

📝 💡 This material is not intended to be an end-user resource, but rather a resource for digital security and communications privacy trainers or teachers; see Train the Trainers. Its goal is to provide a resource to meet the following challenge: "how do we teach threat modeling, without ever saying the term 'threat model' or using any other jargon, to people who don't want to have to care about digital/computer security, but know that they need to care anyway?" This material is intended to constructively supplement, not replace, existing resources compiled elsewhere. The focus is on filling in gaps left by other guides and highlighting appropriate practices at certain levels of concern; this is a scaffold on which to hang the rest of your security training education.

There are two types of personas consisting of three broad groupings. These two types, "defenders" (you) and "attackers" (them), are laid out according to their group's capabilities, creating a three-by-three matrix. This matrix is linearized and inter-linked below.

1. Motivation
2. The matrix
3. Personas
   1. Defenders
      1. Individuals
      2. Organizers and Journalists
      3. Targeted Activists
   2. Attackers
      1. Random Assholes
      2. Assholes with Resources
      3. The State
4. Triage

📝 Editor's note: Please read about the process we're using to create this material.

Motivation

We created this "persona-based" framework with which to approach information (infosec), operations (opsec), and especially communications security (comsec) for several reasons. Based in our own experiences and our observations that many efforts to encourage less-technical people to adopt security best practices have failed, we note that the way most of these efforts fail are not random. Rather, they exhibit specific patterns.

Nevertheless, communications security ("COMSEC") is a critical practice both for maintaining personal privacy and for sustaining any larger-scale resistance against the nearly hegemonic systems of domination and oppression we face in our day-to-day lives. Although many guides for actualizing this practice already exist, most display biases that make them more useful for certain kinds of "activists" over others. Some resources use inaccessible and exclusionary language, either by using unclear jargon or by making insensitive assumptions about gender or race.

The failure modes we most commonly observed are:

1. Often, we are unable to find information appropriate to the specific threats we face. That is, most security guides assume our only adversary is the NSA. This is absurd, and most people are correctly ignoring advice from these guides.
2. Security guides use highly technical concepts and jargon terms before introducing their fundamental principles. For instance, describing a "public key infrastructure" in an article written for laypeople is nonsensical because there is never a time when those three words are uttered in sequence unless you are a computer security professional. Most people like us who may be struggling to make rent cannot be reasonably expected to understand what this means.
3. Often, "experts" simply demand that people take too many actions in too short a time. This is exacerbated by the clickbait nature of news, with lists of "tips" that don't thoroughly explain what each "tip" is or why it's useful. Confused readers are bombarded with a list of many things they don't understand, so they naturally feel overwhelmed and shut down.

These are on top of the implicit (cis)sexism and capitalist framing of many of these guides, which are simply so pervasive that we consider an exhaustive accounting of these obstacles superfluous here.

The matrix

How to use this persona-based threat modeling matrix:

1. You are a "defender" (a given row). Find yourself there.
2. Your concern(s) map to a given "attacker" (a given column). Find your attacker.
3. Find the cell at which these two personas intersect. Everything listed in the cells above and to the left of your cell applies to you, too.
4. Start at the top-left cell and read the advice from left-to-right, top-to-bottom, until you reach your cell. Then stop worrying. :)

		Attackers
		Random Assholes	Assholes with Resources	The State
Defenders	Individuals	Individuals vs Random Assholes	Individuals vs Assholes with Resources	Individuals vs The State
	Organizers and Journalists	Organizers & Journalists vs Random Assholes	Organizers & Journalists vs Assholes with Resources	Organizers & Journalists vs The State
	Targeted Activists	Targeted Activists vs Random Assholes	Targeted Activists vs Assholes with Resources	Targeted Activists vs The State

Personas

In the context of this resource, a "persona" is simply a coarse grouping of entities, divided into two opposing categories: "defenders" and "attackers." There are three defenders per persona category.

Defenders:

A "defender" is a persona that roughly describes one "half" of a given threat model. Defenders in our framework are:

• Individuals: people responsible for themselves
• Organizers and Journalists: people responsible for other people as well
• Targeted Activists: you know who you are

Individuals

An "individual," for our purposes, is any person who is primarily concerned with their own privacy and security. This can be:

• A citizen of a country who uses social media to post about their mundane daily activities.
• An employee of a corporation who uses company resources (either hardware, software, or network infrastructure) to perform personal tasks such as banking, emailing, and so on.
• A member of an oppressed group who faces threats other individuals may not, such as a woman with a jilted ex-lover, an undocumented immigrant, people of color, queer youth, and so on.

Organizers and Journalists

An "organizer," for our purposes, is any person whose safety concerns extend to other people as well as themselves, for any reason. This notably includes "journalists" because, by definition, they are responsible for the safety of their source as well as themselves, but can also include other roles as well. Some examples of other social roles who our framework considered "organizers" include:

• System administrators responsible for maintaining the information systems of companies or community groups
• Community organizers (activists) who take some part in explicit political activity
• Individuals who engage in controversial subcultures and practices, despite not being "explicitly political" about it, such as people who run or simply participate regularly in LGBT or mental health support groups, and so on.

Targeted Activists

If you are a "targeted activist," you probably know who you are because you've self-identified yourself to yourself as one, and we'll just leave it at that.

Attackers

An "attacker" is a persona that roughly describes one "half" of a given threat model. Attackers in our framework are:

• Random Assholes: malicious individuals, harassers or unsophisticated mobs
• Assholes with Resources: organized hate groups, rogue cops, more sophisticated / technical Random Assholes, more dedicated assholes (e.g. "jilted lovers" with resources)
• The State: Governments, surveillance apparatus & multinational corporations (Wal-Mart, Apple+Google+Facebook, etc.)

Random Assholes

A "random asshole," for our purposes, is an individual or uncoordinated mob whose intent is to cause malicious harm. This can include:

• Twitter eggs, individual Trump supporters, and so on
• A (relatively unskilled) person who holds a grudge against you for some reason
• Racist co-workers
• Loosely coordinated mobs of trolls and hate-mongers such as Stormfront, "4chan," and so on

Assholes with Resources

The ambiguous part of this persona is the "resources" part. This can mean a number of different things in practice, but the unifying thread is that there is some additional capability that these specific assholes have that "random assholes" don't. That distinction means that "assholes with resources" could be:

• A jilted ex-lover who happens to be an employee of a company such as Google or Facebook that has access to your personal information
• Technically skilled individuals with grudges
• Unethical app/web service developers, even and perhaps especially the "well-intentioned" ones
• Government or law enforcement employees (who are acting without formal backing from their agency) such as rogue cops
• Organized "cybercrime" groups who have some cyber-attack infrastructure in place for other means (botnet herders, phishers, and so on)

The State

For our purposes, "The State" is an attacker persona that combines multinational corporations and governments, because corporations and governments tend to have similar if not identical resources and also often act in tandem/cooperation with one another to achieve their ends. This means that "The State" can, concretely, include entities such as:

• Advertising-funded corporations such as Google and Facebook
• "Vertically integrated" tech companies such as Apple
• Intelligence community organizations such as the CIA, NSA, and so on
• Surveillance companies/cyberweapon manufacturers, including intelligence community contractors

"Z-axis" aspects:

🚧 TK-TODO: This parts needs a closer look:

1. Read through the list, categorizing each line item along a "z-axis"
2. Group the line items according to their z-axis
   • **What about line items matching more than one z-axis; place in both subheads or just the one?

• Technical: "Categories" from PRISM-Break, i.e., what to do for server security versus what to do for device/endpoint security versus what to do for data in motion/at rest.
• Behavior/habitual: data management and/or security hygiene best practices
• Financial: issues relating specifically to currency systems (which are de-facto surveillance apparati by definition)

---

Triage

📝 This list of links is a completely unsorted link-dump. These links need to be:

1. Read (and, of course, actually understood) by an editor.
2. That editor should determine if the resource linked is useful and not already covered with more clarity at a different resource.
3. If useful, the material in these links needs to be incorporated somewhere into the appropriate place in the matrix, above.

Everyone is encouraged to add new links to this list as they wish; someone will eventually come back around and more thoroughly evaluate its contents. This also means, of course, that you shouldn't take "our word" (lol) for anything linked below.

• CommunityRED: Scrub your personal data from the Internet
• Install Google Authenticator for your accounts
• Lifehacker: Everyone's trying to track what you do on the Web. Here's how to stop them
• Privacy Rights Clearinghouse's Consumer Guide on Workplace Privacy and Employee Monitoring
• How to protect yourself against ICE raids
• Stanford University: Surveillance law
• A gentle introduction to threats and how to defend against them" - A video and a heavily-hyperlinked transcript of a presentation for CryptoParty Albuquerque in 2015.
• Know Your (Digital) Rights - A legal primer from CryptoParty Albuquerque, in 2015.
• MacOS security and Privacy guide - A solid and complete guide on securing your MacOS system. You can skip to the sections you want to secure and follow the guide as you want.
• Current Digital Security Resources, 2016 Edition
• Security training resources for security trainers, Winter 2016
• Penetration Testers’ Guide to Windows 10 Privacy & Security
• Security Without Borders's Windows HardenTools
• https://github.com/ghacksuserjs/ghacks-user.js
• https://github.com/drduh/macOS-Security-and-Privacy-Guide