When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers

Success stories in usable security are rare. In this paper, however, we examine one notable security success: the year-long collaborative investigation of more than two terabytes of leaked documents during the "Panama Papers" project. During this effort, a large, diverse group of globally-distributed journalists met and maintained critical security goals-including protecting the source of the leaked documents and preserving the secrecy of the project until the desired launch date-all while hundreds of journalists collaborated remotely on a near-daily basis. Through survey data from 118 participating journalists, as well as in-depth, semi-structured interviews with the designers and implementers of the systems underpinning the collaboration, we investigate the factors that supported this effort. We find that the tools developed for the project were both highly useful and highly usable, motivating journalists to use the secure communication platforms provided instead of seeking workarounds. We also found that, despite having little prior computer security experience, journalists adopted--and even appreciated--the strict security requirements imposed by the project leads. We also find that a shared sense of community and responsibility contributed to participants' motivation to meet and maintain security requirements. From these and other findings, we distill lessons for socio-technical systems with strong security requirements and identify opportunities for future work.

[1]  Franziska Roesner,et al.  Investigating the Computer Security Practices and Needs of Journalists , 2015, USENIX Security Symposium.

[2]  Vern Paxson,et al.  When Governments Hack Opponents: A Look at Actors and Technology , 2014, USENIX Security Symposium.

[3]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[4]  Rossouw von Solms,et al.  The 10 deadly sins of information security management , 2004, Comput. Secur..

[5]  Daulatram B. Lund Organizational culture and job satisfaction , 2003 .

[6]  L. Smircich Concepts of Culture and Organizational Analysis. , 1983 .

[7]  Amrit Tiwana,et al.  Knowledge integration in virtual teams: The potential role of KMS , 2002, J. Assoc. Inf. Sci. Technol..

[8]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[9]  S. Pfleeger,et al.  From Weakest Link to Security Hero: Transforming Staff Security Behavior , 2014 .

[10]  Glenn Greenwald,et al.  No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State , 2014 .

[11]  Ada Lerner,et al.  Confidante: Usable Encrypted Email: A Case Study with Lawyers and Journalists , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[12]  M. Angela Sasse,et al.  What Usable Security Really Means: Trusting and Engaging Users , 2014, HCI.

[13]  Dirk Weirich Persuasive password security , 2001, CHI Extended Abstracts.

[14]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[15]  Viswanath Venkatesh,et al.  Determinants of Perceived Ease of Use: Integrating Control, Intrinsic Motivation, and Emotion into the Technology Acceptance Model , 2000, Inf. Syst. Res..

[16]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[18]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[19]  Franziska Roesner,et al.  Individual versus Organizational Computer Security and Privacy Concerns in Journalism , 2016, Proc. Priv. Enhancing Technol..

[20]  Adam Senft,et al.  Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware , 2014, USENIX Security Symposium.

[21]  Daniela Damm,et al.  Security issues of a knowledge medium for distributed project work , 2002 .

[22]  G. King BEST SECURITY PRACTICES: AN OVERVIEW , 2000 .

[23]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[24]  Kilroy,et al.  No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. By Glenn Greenwald, New York, NY: Metropolitan Books, 2014. , 2016 .

[25]  Kainan Chen No place to hide: Edward Snowden, the NSA, and the U.S. surveillance state , 2017 .

[26]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[27]  Volker Wulf,et al.  Knowledge Management in Distributed Software Development Teams - Does Culture Matter? , 2009, 2009 Fourth IEEE International Conference on Global Software Engineering.

[28]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[29]  Ilan Oshri,et al.  Social ties, knowledge sharing and successful collaboration in globally distributed system development projects , 2005, Eur. J. Inf. Syst..

[30]  N. Jimmieson,et al.  The Impact of Organizational Culture and Reshaping Capabilities on Change Implementation Success: The Mediating Role of Readiness for Change , 2005 .

[31]  Stanley G. Harris,et al.  Organizational Culture and Individual Sensemaking: A Schema-Based Perspective , 1994 .

[32]  Cormac Herley,et al.  More Is Not the Answer , 2014, IEEE Security & Privacy.

[33]  Engin Kirda,et al.  A Look at Targeted Attacks Through the Lense of an NGO , 2014, USENIX Security Symposium.

[34]  Edward W. Felten,et al.  Secrecy, flagging, and paranoia: adoption criteria in encrypted email , 2006, CHI.

[35]  Sirkka L. Jarvenpaa,et al.  Communication and Trust in Global Virtual Teams , 1999 .

[36]  Jeffrey M. Stanton,et al.  Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices , 2004, AMCIS.

[37]  A. W. Roscoe,et al.  Security and Usability: Analysis and Evaluation , 2010, 2010 International Conference on Availability, Reliability and Security.

[38]  Hari Balakrishnan,et al.  CryptDB: protecting confidentiality with encrypted query processing , 2011, SOSP.

[39]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[40]  Linda Little,et al.  Unpacking Security Policy Compliance: The Motivators and Barriers of Employees' Security Behaviors , 2015, SOUPS.

[41]  Ilan Oshri,et al.  Knowledge transfer in globally distributed teams: the role of transactive memory , 2008, Inf. Syst. J..

[42]  P. Douglas,et al.  The Effect of Organizational Culture and Ethical Orientation on Accountants' Ethical Judgments , 2001 .

[43]  Fred D. Davis,et al.  User Acceptance of Computer Technology: A Comparison of Two Theoretical Models , 1989 .

[44]  Paul Schrodt,et al.  The relationship between organizational identification and organizational culture: Employee perceptions of culture and identification in a retail sales organization , 2002 .

[45]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..