Rikke Bjerg Jensen

Ntezi Mbabazi, Rikke Bjerg Jensen

We examine the information security practices of Ugandan climate activists protesting the development of the East African Crude Oil Pipeline (EACOP). We conducted five-week fieldwork in Kampala, Uganda, which included interviews with 13 anti-EACOP activists. Through an inductive analysis, we report on the complexities faced by small groups of predominantly student protesters as they covertly organise small-scale anti-EACOP protests within a context marked by state surveillance and repression. Our study points to a multi-layered adversarial landscape, where participants' experiences of direct threats, including arrests and information compromise, and their fears of abduction, shaped their security practices. These practices were rooted in autonomous decision-making within groups. We present a grounded understanding of how participants' need to protect information for their own security, as well as that of others, permeated their lives, leading them to adjust day-to-day aspects of their device management, communication, accommodation, transport and social relations as deliberate tactics to mitigate surveillance.

Martin R. Albrecht, Rikke Bjerg Jensen

The Open Source Security Testing Methodology Manual (OSSTMM) provides a "scientific methodology for the accurate characterization of operational security" [Her10, p.13]. It is extensively referenced in writings aimed at security testing professionals such as textbooks, standards and academic papers. In this work we offer a fundamental critique of OSSTMM and argue that it fails to deliver on its promise of actual security. Our contribution is threefold and builds on a textual critique of this methodology. First, OSSTMM's central principle is that security can be understood as a quantity of which an entity has more or less. We show why this is wrong and how OSSTMM's unified security score, the rav, is an empty abstraction. Second, OSSTMM disregards risk by replacing it with a trust metric which confuses multiple definitions of trust and, as a result, produces a meaningless score. Finally, OSSTMM has been hailed for its attention to human security. Yet it understands all human agency as a security threat that needs to be constantly monitored and controlled. Thus, we argue that OSSTMM is neither fit for purpose nor can it be salvaged, and it should be abandoned by security professionals.

Joseph Da Silva, Rikke Bjerg Jensen

Commercial organisations continue to face a growing and evolving threat of data breaches and system compromises, making their cyber-security function critically important. Many organisations employ a Chief Information Security Officer (CISO) to lead such a function. We conducted in-depth, semi-structured interviews with 15 CISOs and six senior organisational leaders, between October 2019 and July 2020, as part of a wider exploration into the purpose of CISOs and cyber-security functions. In this paper, we employ broader security scholarship related to ontological security and sociological notions of identity work to provide an interpretative analysis of the CISO role in organisations. Research findings reveal that cyber security is an expert system that positions the CISO as an interpreter of something that is mystical, unknown and fearful to the uninitiated. They show how the fearful nature of cyber security contributes to it being considered an ontological threat by the organisation, while responding to that threat contributes to the organisation's overall identity. We further show how cyber security is analogous to a belief system and how one of the roles of the CISO is akin to that of a modern-day soothsayer for senior management; that this role is precarious and, at the same time, superior, leading to alienation within the organisation. Our study also highlights that the CISO identity of protector-from-threat, linked to the precarious position, motivates self-serving actions that we term `cyber sophistry'. We conclude by outlining a series of implications for both organisations and CISOs.

Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen et al.

The Anti-Extradition Law Amendment Bill protests in Hong Kong present a rich context for exploring information security practices among protesters due to their large-scale urban setting and highly digitalised nature. We conducted in-depth, semi-structured interviews with 11 participants of these protests. Research findings reveal how protesters favoured Telegram and relied on its security for internal communication and organisation of on-the-ground collective action; were organised in small private groups and large public groups to enable collective action; adopted tactics and technologies that enable pseudonymity; and developed a variety of strategies to detect compromises and to achieve forms of forward secrecy and post-compromise security when group members were (presumed) arrested. We further show how group administrators had assumed the roles of leaders in these 'leaderless' protests and were critical to collective protest efforts.