From Usability to Threat Modeling

Stylized photo of colored puzzle pieces with one puzzle piece highlighted. CC0 Markus Winkler / Unsplash

This is cross-posted from

Across our portfolio of technology, training, and advocacy to support a free and open Internet that protects and advances human rights, we are assembling a wide array of foundational resources (all released under Creative Commons licenses!).

Threat Modeling in Internet Freedom Projects

It's important to underline that this is not a new concept -- certainly there are many security tools which already carefully consider threat models during development; there is much written on using use cases and "misuse cases" to expose the security and usability requirements for tools -- this paper provides a good overview, and EFF's Security Education Companion coverage of Threat Models introduces the concept for use in training.

These include user personas with community-built lists of needs, and information about the threats or adversaries they face. This collection of different resources is not coincidental – it builds a space in the middle to create detailed threat models around specific tools and practices and paves the way to more expansive and cohesive long term digital safety strategies for resilient communities.

What we have

At-Risk User Personas

Contextual Digital Risk Assessments

Our project has a user persona library with 30+ user personas from around the world, representing LGBTQI activists, persons with disabilities, human rights defenders in closed states, and many more. These are not simply idealized stereotypes, however - they are created by the at-risk users themselves to provide authentic insight into the lived experiences, needs, and threats of these communities without putting any specific members of their community at risk. These personas provide critical insights into the needs and threats real people face in challenging environments. Tools for these communities need to be resilient against a wide variety of technical, physical, and legal attacks while also being easy to use, with little or no training.

Risk Assessments are a core of Internews' internal risk management process, and we also strongly encourage auditors using the SAFETAG framework to leverage a similar approach to research the technical and social context that they are working in when assessing an organization's security. The framework provides a guide to research the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to also look at focal areas and trends.

What we're building

Under the next phase of USABLE's work, we will be building two new resources - "personas" which represent the needs of organizations and communities and “personas” which capture the capabilities and motivations of realistic but generalized adversaries.

Organizational Archetypes

Adversary Personas

Organizational Archetypes capture the complex needs of organizations and communities, spanning from grassroots communities all the way up to donors in the space facing state-level adversaries.

What are the more complex needs and different threats faced when collaborating? Secure messaging, calls, and document collaboration are all significantly more complex when you have multiple people or organizations involved, and tools which are relatively easy to swap in and out at a personal level become incredibly more complex if an entire organization depends upon them as a core part of their workflow.

Adversary Personas will contain realistic details of generalized adversaries’ capacities and what issues these actors are willing to expend resources and build capacity to undermine.

Organizations will be able to use these resources to anticipate potential threats and malicious actions and proactively develop practices and responses to realistic situations. This will enable developers, trainers, policymakers, funders, and others to contextualize their work against a wider variety of threat actors without having to rely on any one specific nation-state as a "bogeyman." I specifically hope this enables richer conversation around actual threats while removing cultural stereotypes and prejudices.

From Resources to Practice

These are collectively designed to enable unbiased discussions and strategy development around the serious challenges and threats users, organizations, and entire communities face, the tools we use to help, and tools, practices, or policies we wish we had.

  • Responses focused on threats, not just threat actors Threat actors change and evolve, and often have more capacity than is publicly confirmed (but perhaps less than is presumed through rumor). By extracting and de-personalizing aspects of this, we can have clearer discussions. Further, specifying current existing actors, especially in open source tools, can overly complicate the public profile of the tool as well as those using it. If a tool is
    clearly built to combat a specific actor, then users of that tool can be seen as inherently being aligned against that actor. This has resulted already in excessive targeting and jailing of activists based on their tool choice.
  • Identification of common, cross-regional threats What attacks, specific techniques, and even malicious tools are being used and re-used globally? Are there patterns we can detect and build proactive defenses against?
  • Gap identification What gaps remain when we look at this data mapped out? Is anyone working to address them? What solutions
    (tools, training, policy changes) could be used? How do we sustainably build these resources?
  • More dynamic responses, more resilient communities By tackling the inputs into this process separately, we can update our models more agilely and plan against a wider variety of attacks to build tools and guidance that are more resilient to more types of threat actors as well as changes in any specific actor.
  • Future-looking strategies With these fictional personas and archetypes, we do not have to be as limited to current actors and their capacities. We can (within reason) consider possible future threats that activists may face by remixing and extrapolating from current threats. Anticipating these risks will allow us to build tools to mitigate sooner, rather than later. Dystopian cyberpunk scenarios welcome!
  • These resources can be used to develop tabletop scenarios to explore current and emerging threats and build creative responses to
    them. These scenarios are useful in advanced trainings, tool development, and strategy building exercises. Fictional but realistic adversaries and personas can get into detail around specific threats and mitigations without being as personal, risking bias, and helping reduce potential of trauma involved in these discussions.