Advice for sharing security advice
How to tailor guidance for your audience and come up with a plan for keeping it up-to-date
Writing and sharing security guidance ain’t easy. Without a light touch you can scare or overwhelm your audience. The advice often ages quickly, so you need a plan to help ensure it continues to make sense to future readers. Perhaps most challenging of all, security advice is contextual: It needs to fit your audience, whether that’s an internal audience at your newsroom or an external audience reading your articles.
In our work with Freedom of the Press Foundation, we have learned a number of lessons over the years about writing beginner-friendly security guidance for journalists. We’d like to share some of what we’ve learned. (Note to journalists: Some of your articles about security might not include security advice. Here we are specifically focused on written materials that include some sort of security guidance.)
There are a couple of things to consider when writing advice: 1) How are you learning what to prioritize for your audience, and 2) what are your plans for how future audiences will receive this advice?
Prioritizing advice for your audience
Writing specifically to your audience sounds obvious, but research suggests that writers are giving non-expert audiences an overwhelming deluge of security advice—some of which is even contradictory (e.g., “write down passwords” versus “don’t write down passwords”). Even security experts don’t have consensus on the most important pieces of security advice, pointing to more than a hundred pieces of security advice as the “top 5” most important. It’s no wonder that as writers we have a tough time prioritizing advice for our audiences, because there truly is a lot to say.
Meeting people where they’re at means being technically accurate, but only providing as much information as is applicable to your specific audience. While this matters for all journalistic fields, this is particularly important when introducing technical topics and when the audience may be unfamiliar or intimidated.
For example, if you are writing an internal guide for a larger legacy media organization, readers may have a well-established IT team with some degree of security expertise, or even newsroom security specialists on staff. Much of your guidance in this case should account for not only individual security practices, but also when to escalate with your staff specialists. All of this may also be tied to internal security policies and procedures, and how individual employees can meet compliance goals (e.g., how to set up two-factor authentication that the organization requires to log in). It’s easy to overwhelm people in this situation. Here, it’s likely best to keep guidance fairly high-level and encourage colleagues to reach out to designated people with relevant expertise, outlining the circumstances clearly where they should escalate.
Compare this to writing for an underresourced newsroom where everyone’s security practices might be more individualized and self-motivated, even if the organization has established policies and procedures. Readers may nonetheless be able to implement basic practices on their own, and the guidance should reflect that capacity.
Research with your audience
Who’s your audience? If you are putting together security guidance for your colleagues, or even a highly specialized and familiar group outside of your organization, you might have a pretty good idea about what their tech stack looks like already. A more general audience is going to require some extra research.
While it may make for a compelling story, a solid security news hook does not mean any of the corresponding defenses are applicable to your core audience. For example, every week we learn about massive new breaches of corporate infrastructure, such as Microsoft 365. If your audience is made up of IT professionals who may be tasked with responding to these attacks, there’s actionable advice, but otherwise there might be little your audience is personally left to do in this situation.
Likewise, recently we’ve heard about a good number of stories based on research from University of Toronto’s Citizen Lab concerning Pegasus malware, designed to burrow into a device and give a state-level attacker remote access. These stories will draw questions from your audience about what they can do about it, and if your audience is a journalist or dissident, this threat may truly apply to them. But a more general audience is more likely to face untargeted malware delivered through malicious emails and text messages.
While you don’t want to downplay the seriousness of what you’re describing, it’s equally important to place these stories in the context of who is truly affected. News hooks lend themselves to rare and novel security risks, as opposed to threats people experience every day. Depending on who your audience is, advice should reflect that relative risk.
At Freedom of the Press Foundation, we write articles based on our experience working with journalists on their digital security habits, learning about their experience through onboarding interviews and question-and-answer sessions. We also conduct qualitative research with journalists — some of which has been published in academic journals.
Audience research need not be formal. Maybe for you, research means learning what your audience needs to know by chatting with them on social media sites, Discord, Twitch, mailing lists, the comment section, forums, or other spaces. If you have a specialist audience, perhaps meeting them at conferences is a great way to connect. Whatever you choose, be aware of what can give you a skewed view (e.g., only hearing from your biggest fans on Twitch). Having multiple channels will give you a more representative view.
Backlink checkers can also be a handy way to see where people you don’t know have shared your articles and what they think of them. Likewise, plugging your article links directly into search fields on social media sites will give you a stronger idea who is sharing your articles and what they’re saying about them.
One-off versus regularly updated advice
Prioritizing advice means deciding whether a piece of advice is intended to be fairly evergreen, and how long you plan to maintain it. Even if you don’t plan to update an article indefinitely, you’ll still want to think ahead to how future readers will interpret the advice it contains.
If you don’t plan to update an article — say, if it’s based on a specific news hook — what’s your plan to ensure that readers understand the long-term relevance of your guidance? Depending on who your audience is, they may or may not know that the advice can get out of date. For this reason we really appreciate when an article highlights when it’s old or potentially out of date.
Old doesn’t always mean outdated, of course: Some articles don’t need to be updated very frequently, such as the advice to keep your personal devices updated in response to a breach. This will be applicable for years to come.
For written security advice, Matt Mitchell uses the approach of labeling articles with “best by” dates. Short-lived security advice in your articles should be labeled with expiration dates more like perishable items like bread, not those delicious, highly-processed snacks that will survive nuclear fallout.
Likewise, pointing to canonical documentation instead of writing your own step-by-step security guidance will help to futureproof your articles. For example, if you’re writing about how to use a security feature from Apple, linking out to their documentation is an easy way to ensure future readers will get the most up-to-date information.
Regularly updated advice
At Freedom of the Press Foundation, we write a number of security guides to support journalists who want to learn more about how to protect themselves online. We want to be a reliable source for journalists, so we take care to keep articles up to date and want readers to know it. That’s why at the top of our articles we will note the last date an article was updated.
However, these little banners also require keeping track of which articles need to be updated, and how frequently. Everyone’s approach to this problem will be different. I’m partial to spreadsheets with the basic article information, such as title, writer, and publication date, suggested update interval, most recent update, and “Time to take a look!” fields.
Certain types of articles are fairly evergreen and require little maintenance over the years—for example, a guide to understanding metadata. But many others demand more regular updates, such as our guide on Signal, which often rolls out new features that may be important to our readers. Likewise, certain types of advice require more regular attention because the stakes of getting things wrong are higher—for example, materials about how to reach out to media organizations with sensitive tips.
One of the difficult decisions we’ve had to make over the years is whether to continue supporting articles, or to sunset them. Some guides drive little traffic and are not critical to our audience, so we’ve applied labels to them to let readers know they are no longer updated. Looking at analytics can be helpful for decision-making, but the role of a particular article in your organization and for your audience also matters. Even if they don’t drive much traffic, some articles are important to support and keep up-to-date for our specific audience, such as a guide to security considerations when setting up confidential tip pages.
Whether it’s internally facing for your newsroom or externally facing for your audience, we often don’t talk to each other enough about the challenges we run into with writing technical guidance. If you’re a journalist and this is something you’d like to talk about more, my team would love to speak to and learn from you as well. Reach out any time.
Dr. Martin Shelton is the principal researcher at Freedom of the Press Foundation, conducting user research on harassment of journalists and digital security education in J-schools.