From IFF Wiki
Jump to: navigation, search
Presenter(s) Marcel, Suzanne
Organization(s) Free Press Unlimited and Greenhost
Project(s) TOTEM
Social media
2017 theme Tools & Technology

TOTEM pop-up workshop for digital security trainers on content creation and testing the first setup of the platform,

Format Workshop
Target Groups Trainers
Length 2 hours
Skill Level Advanced
Language English


Survey priorities:

  • Phishing / malware
  • Threat modelling
  • Password hygiene

last priority: e-mail encryption

Phishing / malware

A module about recognising phishing and malware, and possibly on how to remove malware

  1. prevention
  2. detection
  3. removal

Threat modelling

This module aims to create a context for the trainer. For example, if you’re training a group of bankers, you might prioritise HTTPS usage and tell them stories about how that works in a bank situation.

It is possible to do threat modelling by sending out a survey beforehand, but you should be careful with collecting a lot of sensitive data about the trainees over the web.

Password hygiene

A lot of people already know what a strong password is, but it might be good to add a module on how difficult it is to crack some kind of password.

Three important base components to a pre-course on passwords:

  1. There’s a difficulty in how to find a place where to change the password.
  2. The other problem is how to store the password and change your life situation to find how to store your password
  3. Extra means to secure your accounts – 2fa.


Tests / data insights

An interesting idea is pre- and post-testing your trainees, so you can track their improvement over the course. If the pre-test is worded correctly, this can also be an extra motivator to spike the trainees’ interests. Especially if you add a bit of information to the questions in the test

The tests in the example of one of the attendees were scored as a sort of “personality”: not in a wrong/right kind of way, but by saying “it looks like you’re strong in this area, but can improve in that one”.

Other apps

This reminded someone of “umbrella security made easy”, which tracks your improvement with a sort of self-assessment approach and a sort of reward system.

It’s interesting to take a look at digital security courses that are already posted in online learning environments/webinars. They might have a lot of features we can blatantly copy.

Story telling

Teaching by story telling: You invent a story of, say, a human rights defender and ask the trainees to teach/advise this character in her digital security.

From a developer perspective: we could make several modules for different “stories”, so every type of trainee can get a character that resembles their situation.

In a classroom it’s also possible to (after the training) make 2 teams and play a sort of digital security “cat and mouse” game.

There’s also superpeif: examples of stories for every day users that should protect their data. Security in a box also contains some “background stories” with characters.

Saving trainers time

A big time-saver would be to be able to set up a trainee’s PC before the course starts. Some trainers do a “pre-course check in”, where the PC is cleansed of Internet Explorer toolbars, etc. and the tools that are needed for the training are installed.

Trainee devices and connectivity

We should also think about maybe making the tests available off line.

Mobile friendliness is SUPER important for at least 80% of the trainees of 3 trainers only have mobile phones or tablets and never consider buying a computer. The main type of device we’re talking is a $20 android 4.2 phone (so we should also be thinking about the TLS versions, etc.).

We should maybe send out a new survey on the type of devices the trainings should be able to run on.

Interaction and collaboration between trainees is interesting. Maybe it’s interesting for the trainees to (after a course) communicate with each other, which is super interesting in the GPG course scenario, but doesn’t really seem to be super interesting for the three topics we are starting with right now.