Fostering a New Digital Security Pedagogy for More Inclusive Trainings
|Fostering a New Digital Security Pedagogy for More Inclusive Trainings|
|Organization(s)||Freedom of the Press Foundation|
|2017 theme||Training & Best Practices|
Given the continuing entrenchment of free speech restrictions online, government and corporate surveillance of our professional and private lives, and threat of physical and psychosocial harm stemming from our digital activities, the need for effective digital security trainings is more acute than ever. One would hope, then, that the approach to digital security practices would shift according to its widespread need. The traditional rhetoric and pedagogy of such trainings would suggest otherwise, as approaches frequently alienate members of varying communities with difficult to access language and concepts. While recognizing that digital security trainers do incredible work, we recognize the need to expand our approach to accommodate the needs of marginalized and other unaddressed groups.
In this session, we hope to foster a dialogue surrounding core questions about the existing approach to digital security trainings, such as: What conceptual barriers presented in trainings hinder the long-term adoption of security practices? As trainers, how can we dynamically shift our common language and topics according to the unique demands of trainees? Participants can expect to hear from the perspectives of designers, researchers, and educators in the security world, and walk away having contributed to a constructive conversation about how we can work together to make digital security trainings increasingly inclusive and effective.
|Target Groups||Journalists, Security Trainers, Communications Professionals, Academia|
Be a hacker, not a hack: Security accessibility in design and education
Olivia Martin (Digital Security Fellow): Freedom of the Press Foundation
Anqi Li (User Experience and Design Lead): Access Now
Olivia and Anqi introduce themselves and their respective organizations - Freedom of the Press Foundation and Access Now
Explains the challenge between usability, data collection and usage, and protecting the user at risk
-Gap between end users and digital security trainings -How to facilitate communication between both parties using user experience and user design methodology -Want to open up the conversation into a knowledge sharing.
What conceptual barriers in trainings hinder adoption of security tools and practices? What you give digital security trainings, what are some of the reasons that technology tools or practices are not ultimately adapted?
We have seen this before during trainings - eyes of attendees glaze over or folks get lost in the training
Three Conceptual Barriers: User Bias: UX vs Security Bad habits nurtured by bad design Facebook: Design 2-factor authentication to be buried Venmo: Shares financial transactions on Facebook Users don’t know any other practices Cognitive Load: Security Fatigue PGP as a perfect case study - onerous onboarding How can we better present this information in a way that encourages use and sustainability Limited to the number of topics you can take on Culture: Unique Needs Which groups are we not serving the needs of? What are the gaps? Gauging the emotional readiness of end user to receive digital security guidance / training, especially directly on the heals of trauma
“Adoption is critical”
Bridging the Gap:
How can the creative community enrich the security community - and vice versa?
Theories of Change:
Theory of agency: Today, users do not have access to knowledge Lacking information implies lacking agency In this way designers have the responsibility to inform their users Theory of contagion: Security culture is contagious Internally as an organization Externally as communities Theory of social responsibility: Historically, designers tent to be socially aware and socially responsbile In the information age, our social responsibility as designers is complicated and evolving
Design thinking for security:
A very useful way of building methodology for planning and designing training Design Thinking Methodology: Research Critical to address the above three conceptual barriers discussed IFF and other venues are great for user research Background research and on the ground insight when planning design For example - Anqi has much training within the US, but that approach doesn’t necessarily work outside of the US e.g. the VPN usage issue in China is a question about usability Ideation Informed by research stage Contextualization How to contextualize idea? Based on previous user research Ask friends to do user testing Question: With a limited budget, how do you conduct user research? Prototyping How to frame a constructive conversation about design, especially when getting insight from people around you. Use this information to inform how you present information to an end user Testing Critical to have an evaluation process Be responsive to the feedback of users
Help ensure design and creative practice respect and protect user rights in the creation of digital products, platforms, and services How to find a balance between design/usability and security Cut the costs associated with security vulnerabilities, without restricting creative expressions Be a universal, applicable, and fair reflection on the current status of the use of data and information Facilitate health and productive conversations around security
How can digital security trainers contribute to the project paradigm?
Trainers are the conduit between users and the security community
Whole group conversation and exercise outcomes:
What are the conceptual/cultural barrier trainers see in trainings?
Biases based on age, gender, political background, etc Limitations based on time and resources - quick departure from best practice pedagogy Lack of urgency Emotional trauma Assumption of importance of training for recipient (against other priorities or needs) Lack a model to talk about security and encryption that makes sense to the user Often use math as basis that doesn’t connect with user Better analogies are needed People tend to think security is a binary Targeting different audiences - cross-pollination Create toolkits / tools for diverse user groups Bureaucratic BS Generational Tensions Lack of resources for training of trainers Ethical quandary of recommending certain tools which may contain vulnerabilities