Edit This Page

Assess security risks


Know what measures to take to understand risks faced as a journalist.

Learn how to


Scenario text...

Understand risk

Risk refers to possible events, however uncertain, that result in harm. Understanding risks can know the right measures to take in order to be more secure.
Perhaps without realising, we take decisions based on risk analyses every day. You may choose not to walk home through a particular neighbourhood you consider dangerous, or to lock your office doors when you leave in the evening, to deter thieves.
The idea of this lesson is to learn to understand risk as it applies to our activities as journalists and as private people.

Actor mapping

In order to understand the risks we face and be able to effectively react, first we should know where they come from; that is to say, who is behind them, and why.
We might consider dividing them into three categories: resisting forces, supporting forces, and unknown forces.

1. Resisting forces:

Resisting forces are those who try to prevent us from successfully carrying out our work.

In some cases it may be forces working for or on behalf of the State, who often threaten, stigmatise, arrest, detain, mistreat and prosecute journalists. Getting a sense of who these actors are will help us to understand the nature of the threats to ourselves, our community and our information.
In other cases, it may be social forces who try to prevent us from promoting and defending human rights. This may include religious institutions or groups, political movements, armed groups, or even family members. Different actors pose different threats to our security, and indeed our digital security.
The State might have the capacities to listen to our mobile calls, or place viruses on our computers to monitor our online activities. Non-State actors or even common criminals could gather a huge amount of information about us by just monitoring our Facebook page, if everything is open and public.
Thinking about what we are up against can help us take the right measures to keep them guessing and keep working.

2. Supporting forces

Supporting forces are our friends and allies, who try to support our project in one way or another.
As part of this 'actor mapping' exercise, you should also consider the actors who are on your side, whether local, regional or international: these could include friends, community members, police, other organisations, embassies and so on.
It will be important for you to spread your digital security practices among your allies.

3. Unknown forces

Unknown forces are other actors whose exact intentions, with regard to our security and the success of our work, are unknown or ambiguous.
An example may be your Internet Service Provider (ISP) or companies such as Facebook or Google, on whom we depend for a lot of our online activities and who may collect and store a lot of information about us.
An ISP, social network or e-mail provider could be legally pressured by a government to hand over information such as your browsing history, chat logs or emails.
Due to the large amount of information they collect about your activities, they may also be targets for malicious hackers who want to access that information about you.

Understand threats, capacities, and vulnerabilities

Think of your risk as an interplay of the threats you face, your vulnerabilities, and the capacities you have.


Threats refer to a declaration or indication of an intention to inflict harm. The higher the threats, the higher your risk.
An example of a threat may be someone breaking into your email account and exposing your contacts, or using your emails as evidence against you.


Vulnerabilities refer to any factor which makes it more likely for harm to materialise or result in greater damage. The more vulnerabilities you have, the higher your risk.
An example of a vulnerability may be having a very short, simple and easy to break password, like '123456'.


Capacities refer to abilities and resources which improve our security. The higher your capacities, the LOWER your risk.
An example might be knowing how to create and store long, complex and varied passwords, thus making it very difficult for people to break into your email account.
It's worth noting that capacities and vulnerabilities are often "two sides of the same coin".

Map threats, capacities, and vulnerabilities

It may be helpful for you to map them out on a matrix, like this:

Threats Who? Digital Vulnerabilities Digital Capacities Digital Capacities Required

An example for an Investigative Journalist might look like this:

Threats Who? Digital Vulnerabilities Digital Capacities Digital Capacities Required
Office raid, confiscation, legal action Police, judiciary Sensitive files are not protected, Computers have unregistered copies of windows, LGBT material in browsing history Backups are regular and kept outside the office Hiding sensitive information Using Free Software Deleting information securely
Digital Surveillance of network traffic Police/Government officials, untrusted IT administrator plain text or unencrypted communications Encryption of all communications Only access https websites, utilize anonymizing browsing software (Tor), use encrypted communications (Signal, PGP email, etc), encrypt or obfuscate sensitive files
Burglary Local delinquents Old locks on the office doors, organisation smartphones are not kept in a safe place Smartphones have SIM lock and no social networking apps Smartphone encryption, and a safe place to keep them

This example is merely for demonstrative purposes and may have nothing in common with your own situation,. It only focuses on digital security vulnerabilities and capacities, which should only be one part of your risk analysis.


It may be that you find there are a lot of threats to your work, and it can be difficult to get some perspective on where to begin.
In these cases it can be useful to think of the different threats in terms of the probability of their occurrence, and their impact should they occur.
| Probability | | | | | |-------------|-----|----------|---------------------------|--------------| | Very high | | | Confiscation of materials | | | High | | Burglary | | | | Medium | | | Entrapment and Assault | Imprisonment | | Low | | | | | | Impact | Low | Medium | High | Catastrophic |
Once you have prioritised the risks to yourself and your work, you can then start to take action to reduce them through building the relavent capacities and integrating them into a security plan.


What is gitbook used for?

To read books To book hotel named git To write and publish beautiful books GitBook.com lets you write, publish and manage your books online as a service.

Is it quiz?

Yes No


  • (en/topics/practice-2-planning/1-threats/1-intro.md): What are threats
  • (en/topics/practice-2-planning/4-emergency-plan/1-intro.md): How to make an emergency Plan

See also: