1. Susan E. McGregor
Columbia Journalism School
@susanemcg / sem2196@columbia.edu
Elizabeth Anne Watkins
Columbia Journalism School
@watkins_welcome / eaw2198@columbia.edu
"Security by Obscurity":
Journalists' Mental
Models of Information
Security
5. According to a Pew Research Survey of
investigative journalists conducted in 2014:
● Half did not report using information security
tools in their work
● Less than 40% reported changing their
methods of communicating with with sources
since the Snowden revelations
● Yet the majority believe that the government
has collected data about their communications
Yet in the last 3 years, it seems little has changed
6. According to a Pew Research Survey of
investigative journalists conducted in 2014:
● 88% reported “decreasing resources in
newsrooms” as the top challenge facing
journalists today
● 56% named legal action against journalists as
the second
Yet in the last 3 years, it seems little has changed
9. In the words of cognitive psychologist Donald
Norman, mental models are:
“What people really have in their
heads and guide their use of
things.”
A mental model describes the way a person or group
thinks about a system or process
10. We conducted in-depth, semi-structured interviews with
journalists (N = 15) and editors (N = 7) about their security
preferences, practices and concerns.
We then analyzed these interviews using an iterative,
grounded-theory process to identify and refine common
themes
Our research
11. Our results
Like the Pew survey, we found that two overarching themes:
1. Our participants strongly related the need for security to the specific beat,
geography or story they were covering.
1. Meeting face-to-face was the most consistently cited tactic for avoiding security
issues related to digital communications
12. “It depends on the sector, but not everyone
has sensitive information. We have many
open sources that don’t require any
particular protection...It’s just in certain
cases that one really needs to be careful.”
13. “I haven’t really dealt with something that
was life or death. An extra level of security
just didn’t seem necessary.”
14. “If you were on the national security beat
[security technology] would be really useful.
But I write about domestic social problems,
education, crime, poverty.”
15. “I feel like it depends on how much you think
someone is actively spying on you.”
16. Security by Obscurity
Taken together, we found that our participants' mental models of security were largely
shaped by two sets of beliefs:
1. That their own level of information security risk was directly proportional to the
likelihood that they were being specifically targeted. This was expressed in
repeated references suggesting that security risk was a factor of how conspicuous
or controversial their coverage was. Conversely, participants expressed that if they
were not being specifically targeted, they felt they faced a lower information
security risk.
2. That the primary way to lower their information security risk was to take
communications offline altogether, e.g. meet sources and/or colleagues in person.
Taken together, we characterize this mental model as "security by obscurity."
17. Security by Obscurity
In the computer science literature, "security by obscurity" is often highlighted as a
spurious form of security; e.g. the idea that simply using obscure (or secret) security
approaches provides sufficient security.
We intentionally co-opt this term to indicate journalists' and organizations' belief that if
their work remains sufficiently "low-profile," they do not need to concern themselves with
information security.
We acknowledge that in both cases, "security by obscurity" can provide some tangible
short-term protections. In the long run, however, this approach is not tenable in either
discipline.
18. Limitations of "Security by Obscurity" for Journalists:
Many successful attacks are phishing-based
From the article:
The executive saw on her Blackberry that she had just received
a bluntly worded email that seemed to have been sent by a
reporter at Vice Media, asking her to comment on a Reuters
story linked in the message.
[...]
In her half-asleep state, she was prompted for her webmail
credentials and entered them, thinking her access to the page
had timed out. When the link led to a broken url on Reuters’
website, she got dressed and began her snowy commute from
Brooklyn to Manhattan without a second thought. “It was so
insidious,” she says. “I didn’t know I had been hacked for
another two hours.”
19. Limitations of "Security by Obscurity" for Journalists:
Journalists and their organizations are not obscure
"Ok, it's not crazy or megalomaniacal to think that there
might be a group of people who are actually trying to
crack [our] systems. Right? I mean, we think of
ourselves as prestigious...but not a sort of obvious
global target newsroom...So I think that really brought
home to us, "No, we are a big old target."
21. Understanding journalists' "security by obscurity" stance
We found multiple indicators of why journalists may continue to employ a "security by
obscurity" mental model despite its gaps and inefficiencies:
1. Poor systems models: many participants expressed uncertainty or confusion about
how digital communication systems worked and what kind of protections were
afforded by particular practices.
2. "Good enough is good enough": in the absence of clear understandings about the
mechanisms of digital communications and their implications, most journalists
relied on face-to-face meetings for security. Though limiting, this tactic is both
reasonably effective and more highly accessible accessible given their other
resources.
22. I’ve been trying to reduce my Dropbox
usage, and so I've been using just a USB
stick or something. Which, I actually have no
idea how safe that is. It seems more safe.
23. I tried to send an encrypted email to a manager, and
she doesn’t have [encrypted] email. So, it’s available to
our company…but it hasn’t been a priority for that
manager. So I sent a note to her reporter…who was
encrypted but was not in the office. So I said, “I’ll walk
over and have a conversation with you, because I can’t
send you what I would like to send you. I don’t want to
put this in writing."
25. Improving on "security by obscurity" for journalists
A major opportunity in improving the accuracy and efficacy of journalists' mental models
of security seem possible through better information dissemination and education.
1. The most prominent and highly-detailed coverage of information security issues for
journalists focus on specific beats and topics. At least internally, organizations
should clearly communicate the existence and origin of attacks.
2. Engage in direct educational efforts to help journalists and other personnel
understand how digital communications work - and how certain security
precautions function. Anecdotes from participants suggest this is a successful
approach.
26. My initial response to being prompted to set up two factor authentication
on my personal accounts - like on my Gmail account or my Facebook or
wherever - was deep skepticism, because it just felt like another
corporation asking for my phone number...[But] the whole tech team gave
kind of a broader and clearer explanation of why it matters, and it didn't
just seem like some kind of fishy thing from a faceless corporation, but
more like, you know - here's a person I trust who's looking out for my
company telling me why this matters for us as a company, and shortly
after we went to two factor for the company, you know, I sort of
acquiesced to all of the various two-factor requests in the rest of my life as
well.
27. Susan E. McGregor
Columbia Journalism School
@susanemcg / sem2196@columbia.edu
Elizabeth Anne Watkins
Columbia Journalism School
@watkins_welcome / eaw2198@columbia.edu
"Security by Obscurity":
Journalists' Mental
Models of Information
Security