Framing the Conversation


Many of the lesson plans in this guide are designed to stand alone, and some of the overview lessons can cover a few key topics in a lunch hour. But if you’re thinking about launching a series of workshops, it is worth considering how you want to frame that series.

There are a lot of different ways to frame a conversation about digital security. Many trainers like to start with a review of basic digital literacy, to provide a foundation for subsequent trainings. Others start with threat modeling or risk assessment. This document is a great roundup of places to start a training series.

  • For some participants, this workshop will be their first opportunity to reflect on a subject that is conventionally framed as the domain of experts. Facilitating means showing that participants, too, have what they need to participate in the process.
  • No workshop starts from scratch. Everyone in the room brings some insight and some baggage. Participants will have useful digital security knowledge, but they also bring personal insecurities and myths that take time to debunk.
  • Adults usually expect to understand the relevance of what we learn. That expectation can be challenging when we don’t have existing mental landscapes that help us make sense of new concepts and tools. Facilitating means providing useful frames of reference.

The good news is that a lot of great trainers have already done the hard work of articulating foundational concepts for digital security work that then open the conversation up to other specific practice- and tools-based topics.

Here are examples of lesson plans you might use to facilitate a first session with newsroom colleagues, along with brief explanations of when these framings can be most helpful.

How the Internet Works

Mariel Garcia and Spyros Monastiriotis’ How the Internet Works is a great introductory lesson plan that starts by walking through the basics of how information is stored and flows between devices on the internet. You can then talk about the vulnerable points in the chain—and start a conversation about the related good security practices. The lesson plan is intended for sessions lasting between two and four hours.

Tactical Technology Collective’s How the Internet Works, and the “How mobile communications work” module on My Shadow cover similar material in shorter 30-minute activities.

Assessing Risk

Internews’ SaferJourno includes a nice module on risk assessment (see page 17). Frontline Defenders Workbook on Security and Tactical Technology Collective’s visual actor mapping session are also good resources for facilitating conversations about risk and risk assessment. These can be good starting points for discussing concrete steps that are important to take.

This framing is most helpful in an environment where participants are working closely together and share common risks.

Where Your Data Lives

The Data Backup Matrix, a Level Up activity, asks participants to reflect on the places where their data is stored by facilitating creation of an “information map.” This exercise is based on the idea that understanding what exactly is at stake in a digital security crisis and what the least and most vulnerable points are will enable subsequent risk assessment and tool learning.

This framing can be particularly helpful when working with groups that have had other digital security trainings but never really changed any of their practices, as this exercise can help them re-engage with the importance of better practices in their particular cases. This activity is intended for a session lasting 30 to 45 minutes.

A Day in Your Life

Tactical Technology Collective’s A day in your life asks participants to create a timeline, or a time-based “information map”. The exercise is based on the idea that thinking about the times you are most vulnerable can help participants prioritize changes they want to make as they build digital security skills.

This framing is helpful for groups where individual analysis is most appropriate, and when working with groups that have had other digital security trainings but never really changed any of their practices, as this exercise can help them re-engage with the importance of better practices in their particular cases. The activity is intended for a session lasting an hour.

Tracking – Who’s Collecting Our Data? How? And Why?

Tactical Technology Collective’s My Shadow includes a few great activities and workshops crafted around the idea that people can more easily make sense of best practices if they start by talking about services people already use and the data that is being collected.

This framing is particularly useful in newsrooms that cover low-risk topics but are interested in building digital security capacity. The activities are divided into 30-minute modules, which you should complement with discussions on the topic.

Reflecting on Existing Security Practices

This holistic security exercise by Tactical Technology Collective is based on the idea that people are not really starting from scratch in terms of security, even if they are coming to their first training. Exploring previous knowledge and practices is a good way of making the entire process more relevant for them.

This exercise isn’t meant to be a stand-alone session, and can be a good warmup for a longer skill-based session.

Integrated Security

Some digital security trainers have used Kvinna’s integrated security facilitation approach, based on the idea that collective discussions on what security means and the practices we already take to protect ourselves are a good way to continue building our security capacity.

This framing can be helpful in newsrooms where security needs are much broader than what is typically covered in digital security curriculum. The lesson plan is intended for a session lasting two to four hours.

This is Awesome

It is easy to get caught up in everything that’s wrong with the internet and digital communications. Some digital security trainers like to start by resetting that pessimism with a conversation about just how awesome the internet actually is. If this is a framing strategy that resonates for you as a trainer, the general idea is that you start with a roundup of everything that is fabulous about the internet and then shift gears to talking a bit about the value of digital literacy. Eg.

Today, if we want to talk to hundreds, or even thousands, of people, we can turn to Twitter, or a host of other platforms. Networks with equivalent reach and ease of access simply didn't exist for previous generations. Now it's a regular part of life.

There are more books than we could hope to read, much less own, that fit on a three-inch screen. There are more audiobooks,  than we could ever listen to in the public domain, read by random volunteers. We can book a flight to Seoul, order a box of baby chickens, and find patient communities for dozens of rare diseases in the span of 20 minutes, all from a phone, or a small box with more computational power than took humanity to the moon.

We live in an age of working magic wands, an age with no muggles. We're all wizards, but there's no Hogwarts: we're muddling through, and a world where everyone has all these powers can look scary. But the world gets better as we all learn to use our powers.

Practical privacy and security is just a part of digital literacy. Right now, for most people, learning how their computers work is hard enough. Learning how the network works seems out of reach. It’s not impossible, it just takes a new perspective on the world we live in everyday. Digital privacy is digital literacy: It means learning how to use your network powers, and how to defend yourself in an environment of network powers.

Contexts in which this framing can be helpful: when you want to set a tone that none of this should be scary or overwhelming.

Setting Expectations

Once you’ve identified a framing that resonates with you as a trainer, or that will resonate with the group, let that framing help you identify, and (as necessary) gently adjust expectations for the group. Most of these framing suggestions start with activities that incorporate a conversation about expectations. Two other great resources on setting and managing expectations are Chris Michael guide to getting participants in sync, and DJ and Nicolás Sera-Leyva’s guide to understanding and managing expectations in digital security trainings, both at Level Up.Some of the places where there’s often a gap between expectation and reality, in digital security trainings:

  • There is no such thing as perfect security.
  • There is no such thing as a permanent digital security solution.
  • You are as secure as the most “un-secure” person you connect with online.
  • Security is personal.

Participants who come in hoping to given The Right Answer™️ will leave frustrated if you don’t reset expectations at the outset of a series. Digital security is not just about knowledge: it is also about changing habits. Nobody changes long cultivated habits after a single two-hour workshop. As a trainer, you can set participants up for success by encouraging everyone to make realistic commitments, and to keep those commitments.

Privacy and digital security aren’t solo endeavors. Normalizing secure communications is a way to work in solidarity with more vulnerable groups–as people use encrypted channels to touch base about what’s for dinner, or what time to meet up, we all help make private and secure communication normal. By using secure communication tools for every day chatter, we can also identify, articulate and document bugs and issues that make those tools hard to use in high stakes situations.

Security is an effort we make for ourselves, for others we care about, and also for others we currently do not care about. We rely on each other – security might be an act of moral obligation, civic responsibility, or love.