Edit on Github

Digital Risk Assessment Template

Journalists face a wide array of digital risks when carrying out their work. Completing a risk assessment is an important factor when it comes to keeping data and sources safer. This risk assessment template is designed to get you thinking about the risks that you face as well as the steps you need to take to reduce that risk.

You can complete the risk assessment template on your own, or together with others you work with, such as an editor or security officer. Journalists may need to consult the SaferJourno guide for best practice guidance on how to carry out certain digital security steps. You may not need to complete all of the risk assessment, choose the sections or questions that best suit your security needs.

Think about where you will store this document and how you will share it securely with the news outlet you are working with. Consult with a digital security advisor if you need guidance on how to do this.

Thinking about general digital risk

What general digital safety concerns do you have?

Have you faced any previous digital threats? Please detail if you feel comfortable to do so.

Are you living or working in a country with a high level of surveillance? What steps do you need to take in order to be digitally more secure?

Are you working on a sensitive story? If so, what do you need to know about your risks and adversaries to be safer online and when using devices?

Account security

Do you know who may wish to target your accounts? If so, do you know if this adversary have a history of breaking into or carrying out phishing attacks against journalists or others?

Are you able to set up anti-phishing protections such as password manager autofill and physical security keys or passkeys? What sort of steps would you need to take to include those protections in your work and workflow?

Is there a risk the government could subpoena a company for your online information? If so, what steps will you take to protect your data?

Steps to reduce risk

Complete the checklist to secure your accounts.

  • I have created long (15 characters or more) and unique passwords for my accounts, or asked my password manager to generate new ones for me. Alternatively, all my main accounts are protected by passkeys
  • I have created and follow a plan for creating and storing my passwords or passkeys securely, for example by letting my password manager store and generate them
  • I have turned on two-factor authentication for my accounts, ideally with physical security keys or passkeys
  • I have created backup forms of two-factor authentication (such as additional physical security keys or backup codes), or work with a system administrator in my newsroom who could help reset my accounts if I lose access to my second factor
  • If I’m using a password manager, I’ve enabled auto-fill in my web browser to combat phishing threats
  • I have reviewed the content of my most important accounts and removed anything I would not feel comfortable with others accessing
  • I have taken steps to separate out my work and personal accounts online

Device security

Do you always keep the software on your devices up to date? How often do you check if updates are available?

Do you know what content is on your devices and have you taken steps to remove anything you would not want to be obtained by others? What steps have you taken?

Do you know who may want to gain access to your devices? For example, law enforcement, protestors at an event? Have you taken steps to secure your devices and the content on them?

Do you know how to encrypt your devices and have you researched the law around encryption in the country you’re in? Do you know which of your devices are encrypted by default, and in which ones you need to manually enable encryption?

Are you crossing borders, at risk of arrest, detention or having your devices seized? What steps do you need to take to secure your devices and information ahead of travel?

Have you researched whether you are at high risk of having spyware inserted on your devices? If so, have you enabled iOS/macOS Lockdown Mode or Android Advanced Protection?

Safer online research

Do you have a specific story that causes you concern when it comes to carrying out research online? If so, please detail below.

Do you know who may be interested in obtaining your online data and what their tech, legal and financial capacity is? What steps are you taking to protect your data?

Protecting materials

Please write down any concerns or questions you may have about how to keep your materials secure.

What steps do you need to take to mitigate the concerns above?

Steps to reduce risk

  • I have researched who may be interested in obtaining my documents and I understand the ways they may try to do this. For example, subpoena, device seizure
  • I have a plan for backing up my content in more than one place
  • I have researched and chosen a method for backing up, deleting and storing content
  • I know how to encrypt single documents
  • I know how to encrypt USB sticks, SD cards, external hard drives amongst others
  • I have created a plan with my team around how we will all store materials more securely
  • I know what steps to take should our material be accessed by someone

Safer communications

What concerns do you have when it comes to securely communicating with others? Detail them below.

Do you need to protect your phone number from sources or others? Have you looked into Signal’s phone number privacy and similar services?

Are you speaking with someone who is under digital surveillance? What steps could you possibly do to protect your communications?

Have you taken steps to secure the communications tool you are using? For example, turning on disappearing messages and two-step verification for WhatsApp and Signal? What other steps do you need to take?

Online abuse and protecting personal data

Have you previously been targeted by online abusers? What tactics did they use?

Are you being targeted because of certain stories that you are publishing?

Do you have an understanding of who may be targeting you and the tactics that they are using?

Steps to reduce risk

  • I have carried out an advanced search for my data online
  • I have taken steps to remove as much personal data as I am able
  • I have set up Google (or other) alerts for my personal data, including my name
  • I have spoken to family and friends about what data I am happy to share online
  • I have worked with family members or others close to me to secure their accounts

AI security

Have you made a list of what AI tools you and your contributors are using, and whether they are on-device, cloud-based, or hybrid?

What steps have you taken to make sure that sensitive data is not shared with cloud-based or hybrid AI platforms?

Do you have a policy on tools such as AI notetakers (for example to only use the notetaker that comes with your video chat software, to avoid using it for sensitive chats, and to always check outputs)? Have you spoken to people you work with about that policy?