2026-05-08 –, Main Stage
Digital and cyber risks do not always fit into standard risk assessment paradigms; they might use different language or touch upon complex causal or interdependence relationships. This non-technical talk will guide listeners on digital security training and storytelling techniques that will leave their audience feeling more empowered and better able to assess and mitigate digital risks. It will look at how to position digital risks next to other risks and look at how smart and empathetic threat modelling can combat nihilistic feelings of universal surveillance.
Many risk assessment professionals struggle with understanding digital and cyber risk. Risks such as injury caused by fires of earthquakes have reasonably straightforward causes. Risks such as data exfiltration could be caused by a number of complex, interconnected attacks. This talk will be based on my experiences of training small teams of very different risk experts—ranging from investigative journalism editors to humanitarian workers—about digital risks. It will focus on how we can tell better stories on digital risk that leave the audience feeling empowered.
We will discuss:
How to position digital risks next to other types of risks: I will summarise some of the conversations I’ve had with risk assessment professionals, highlighting both easy parts of and struggles in explaining digital risk. I will also briefly mention the problem of knowledge asymmetries in cyber and digital risk assessments.
Differences in risk assessment language used—and why they matter: this includes looking at words like “threat”, “risk”, “prevention”, and “mitigation”, and how cyber and digital risk professionals might use them differently from others
Why ‘standing out’ (for example refusing to use some mainstream tools or having unusual tech use patterns) could itself be a problem. Here, we also discuss how much of the data surveillance actors collect can be noisy and messy, and why this might be reassuring.
Perceptions of omnipresent surveillance and ill-defined threat actors and how those frustrate our efforts at security education: we all sometimes run into the perception that surveillance isn’t just everywhere but done by everybody. While it’s true that many different actors are involved in this ecosystem, I explain how explicitly defining those actors and explaining what they are and aren’t capable of can help empower the audiences of our trainings. In short, this is a session on how we can use standard threat modelling techniques.
A case study on WhatsApp and Signal to explain how to best discuss risks and mitigations related to messaging and messengers.
Time for questions and discussion!
The main audience of this talk are security trainers, security team managers, and others who frequently work with and upskill non-technical audiences. I will mostly focus on broader notions of digital risk, only going into technical details when necessary.
I hope that, after the talk, the audience will have the following key take aways:
- How to effectively tell stories about digital risk, cyber risk, and surveillance to audiences that don’t feel too comfortable with such topics
- Building analogies, and noting differences, between digital risk and other types of risk (physical, financial, legal, etc.)
- How to empower people who might feel overwhelmed when thinking about risks such as surveillance or spyware
Łukasz is a digital security trainer based at the ICRC Global Cyber Hub in Luxembourg. He has a background in politics, technology, and international relations. He is particularly interested in digital security pedagogies, selecting secure and sustainable digital tools, and effectively supporting at-risk groups and individuals.