Say, there’s an activist who’s going to pass the border. He is flying to an international conference with a usb flash drive and some sensitive data on it. Commonly we suggest this story to our trainees and do some brainstorming. We ask people to give us a list of possible risks. Examples:
- The sensitive data on the drive can be read (wiped, corrupted, etc.) = digital security risk.
- The drive itself can be damaged (stolen, replaced, etc.) = physical security risk.
- The information can be claimed as illegal by authorities and the activist will face legal charges = legal security risk.
- The incident itself may put the activist under stress = psychological security risk.
Usually a digital security trainer would advise to encrypt data on the disk. However, I witnessed a trainer being confused by a very simple question: “If I’m asked to provide my password for the encrypted drive/container and I refuse doing this, will my refusal be legal or not?”
On the other side, adversaries probably don’t even want the mentioned activist to provide any passwords and decrypt his data. They will not go as far as destroying his device physically. Their intention can be different: to make the situation stressful and to make the guy saying something provocative or offensive so they could prevent him going onboard and getting to his destination point, the conference. Learning how to use PGP won’t be of much sense here but psychological methods of handling stress could be helpful.
This is why we need holistic security.