Designing EFF’s Security Education Companion, Online Discussion Notes

FabRiders’ Network-Centric Resources project helps resource developers understand how to develop people-powered and participatory resources and establish assets for networks and communities that share ownership, enable contribution and support collaboration.  A ‘build it and they will come’ approach is likely to end up with unused and unloved content. Being deliberate in engaging beneficiaries, communities and networks in developing resources is the best way to ensure maximised usefulness and usage.  To help exemplify this Soraya Okuda shared learnings from designing and developing EFF’s Security Education Companion in this online discussion that took place on February 14th, 2017 
Also participating in the discussion (and helping with questions and taking notes) were:

Key points from the discussion

Soraya’s SEC curriculum development process steps:
    1. Research (like a lit review)
    2. Test out the material that is being designed, before even giving them to other groups for feedback
    3. Develop 15-20 user personas – 10 participant personas (classroom, library setting) and 10 trainer personas we’re trying to engage. we incorporated inclusive design elements – participants personas included unique needs.
    4. designing the site
    5. developing curriculum – what needs does each persona have?
And within those: 
  • Narrow down learning objectives.
  • Understand participant enthusiasm for different topics.
  • Utilise an iterative process.
  • Be an active listener. 

Correction: during the discussion, Soraya misspoke, saying that they have translated SEC into thirteen languages. They have actually translated SEC into eleven languages.

Further Notes

  • The SEC was developed after the US Presidential Election in 2016 to support emerging digital security trainers.
  • EFF already puts out materials like Surveillance Self-Defense, which is a resource for individuals to understand how to use tools, but not necessarily for trainers. The vision was the SEC would be a way to help trainers explain the underly concepts of SSD.
  • User centred design methodologies were critical to their approach. They engaged emerging trainers and asked them specifically what would work and what wouldn’t for training in their communities. They spent quite a bit of time testing assumptions and listening.  Soraya initially started with a set of slides, but trainers needed something physical they could hand out.
  • It took about a year to develop the SEC website, which is quick for curriculum but longer for a website.
  • Regarding Network-Centric Lifecycles – the SEC is currently in the Birth (Launch) phase, and they are hoping it will be a living document that will continue to grow
  • They started out by researching other materials that were out there and seeing what they could learn.
  • They had ten personas for participants of training and ten personas of trainers. They also included ‘inclusive design’ principles in developing those.  These were critical for their writing sprints. Two resources that were helpful for this:
  • Along with getting test curriculum, out into the field and seeing how they would be used, they distributed the materials to partners and solicited feedback.
  • Other resources that were helpful for the SEC
  • Łukasz Król submitted this great question:  I know that some information security experts have recommended against teaching PGP (and also TOR), arguing that they are difficult to set up, demotivate potential learners and that it is easy to get things wrong when using them. When is it a good idea to teach about ‘advanced’ tools such as PGP and TOR and when is it better to ignore them in favour of telling people to go for a simpler solution, such as using Signal, instead?  Start by understanding the threat model and then setting expectations about the ability to learn tools like PGP and TOR.   Sometimes it can be more critical to understand the underlying concepts behind PGP and TOR than actually learning about the tool itself.
  • To understand how good your content is, it’s critical to listen to users.  Soraya strived to make people feel comfortable to tell her what frustrates them in the materials.
  • In making sure that materials are ready to launch, it’s important not to be too much of a perfectionist.  It’s important to understand when it’s good enough, but communicating that you want feedback on how to improve it.
  • Getting back to the Lifecycles post – the process of developing the SEC has been well matched to the pre-conceptions, conceptions, and birth phase, and they are still figuring out the rest of the stages of the SEC Lifecycle.
  • Kristin Antin pointed out how when you are writing code, you are often getting inputs and eyes on the code as you are going along, but when we are working with text-based content, it can be very different. We mentioned:
  • We need to remember that user centred and human centred design methodology actually comes from good old-fashioned community organising. In terms of the SEC, it can be a tool for leadership development in those communities learning about digital security. Stay tuned to The FabBlog for an upcoming post. We also mentioned:
  • In regards to the LifeCyles – repositories for content is critical for an Afterlife. GitHub is a tool currently being used, but it’s far from perfect for text.

Questions that EFF is currently asking to help improve SEC:

  • Have you used our Security Education Companion to prepare to teach digital security to beginners? Did you look at it on a computer, tablet, phone or other device? What was your impression of the website?
  • In particular, have you used any of our Security Education 101 articles ( or Lesson plans ( to prepare for a workshop? If so, was the information helpful? What additional information would you have liked to see?
  • If you used a lesson plan (, we’d love to hear how the lesson went. Did our time estimates account for how long it actually took? Were learners still confused? What kinds of questions did learners ask? Did you feel adequately prepared to answer these questions?
  • If you used a teaching material (, such as a gif or a handout during a digital security workshop, what did you find to be useful? Were learners able to participate fully (e.g. were they asking questions that indicated that they were paying attention and understood the overarching lesson)? Did learners have questions when looking at the resource, and if so, what were they? Were instructions on handouts and on how to teach gifs sufficiently clear?Was there anything that frustrated you about using the site or any of our resources?


Conversation with peers makes this work feel less lonely, and more rigorous too! Super grateful. – Rachel