Report on Digital and Physical Security Trainings Held from 16Th to 19Th October, 2019 at Kilifi Bay Hotel

REPORT ON DIGITAL AND PHYSICAL SECURITY TRAININGS HELD FROM 16TH TO 19TH OCTOBER, 2019 AT KILIFI BAY HOTEL

OCTOBER, 2019. Prepared by: Tom Bicko Ooko, Project Officer, CJGEA

Contents 1.0 DIGITAL SECURITY TRAINING NARRATIVE REPORT ...... 1 Wednesday October 16th...... 1 Introduction ...... 1 Objectives of the training ...... 1 Commencement of the training ...... 2 Introduction ...... 2 Threat modelling ...... 3 Threat assessment ...... 4 Threat actors ...... 5 Forms of threats ...... 5 Threat Analysis ...... 6 Risk mitigation ...... 8 Data protection ...... 9 Persona ...... 11 Phishing ...... 11 Safe web browsing...... 12 SOCIAL MEDIA SAFETY ...... 13 EMAIL SECURITY ...... 13 Password managers ...... 15 Two-Factor Authentication/Veriﬁcation ...... 15 Mobile security ...... 16 CONCLUSION ...... 17 2.0 PHYSICAL SECURITY...... 18 Introduction ...... 18 Definition of security management...... 18 Session objective ...... 18 Actors and stakeholders ...... 20 Analysis ...... 22 PESTLE ANALYSIS MATRIX ...... 23 STAKEHOLDER ANALYSIS ...... 27 SECURITY INCIDENTS ...... 32 RISK ASSESSMENT ...... 32 TYPES OF THREATS ...... 34 AGGRESSION ...... 35

OTHER COPING STRATEGIES ...... 35 SECURITY PLAN ...... 36 CONCLUSION ...... 37

iii

1.0 DIGITAL SECURITY TRAINING NARRATIVE REPORT

Wednesday October 16th.

Introduction Center for Justice Governance and Environmental Action (CJGEA) conducted a physical and digital security training from the 16th to 19th of October 2019, at Kilifi Bay Hotel in Kilifi County. This training was assisted by funding support received from two donors including Civil Rights Defenders (CRD) and KIOS-The Finnish Foundation for Human Rights. The exercise was conducted for four days and the participants targeted for this training were the CJGEA board members and staff. The training was successful and each of the training session i.e. digital and physical security training sessions took two days respectively.

Objectives of the training The digital and physical security training was conducted to try and achieve certain objectives which would go a long way in helping CJGEA improve its security situation. The objectives were drawn from some of the current activities that CJGEA is undertaking and some of the security threats the organization has had to endure in the past. Among the activities include:

 Currently CJGEA is expanding to cover a wider geographical scope i.e. the whole nation from the six coastal counties where its operations were mainly based hence its most likely to face more security risks in this rapidly changing geographical context. Part of this was witnessed with the baseline survey on County Environment Committees conducted in 2018 in 30 counties where CJGEA staff faced a lot of security threats in the field ranging from arrogance and intimidation from the county leadership.  The upcoming court case ruling on the Owino Uhuru class action litigation suit will escalate the security risks that the organization will be likely to face as the suit involves powerful government institutions and individuals who might use their influence and power to try and harm the organization as has been encountered before.  Recent attacks on some of CJGEA members and staff during field work also brought the security issue right to our door step; many of our EHRDs have been attacked for their work in defending the environment. Our staff recently faced hostility from some unruly youths of Owino Uhuru when they went to the community for fieldwork. All these factors pushed us to want to address our security situation and hence the decision to immediately hold a physical and digital security training for the staff and board members. The following are some of the objectives which were set for the security training. 1. To expose the board members to the security risks and threats that the organization faces or is likely to face with its expansion to other counties to enable the board enact

policies that will be in line with the organization’s expansion plan and shield her from any form of security harm. 2. To familiarize CJGEA staff to the security threats they are likely to encounter in line of their day to day work both in the office and in the field especially the new staff who are yet to come across some of the security risks. 3. To prepare the organization and educate them on the security threats they are likely to face upon the issuance of the judgement on the Owino Uhuru Class Action Litigation suit which is most probably going to favour the petitioners. 4. To understand the security threats that CJGEA is likely to face with the anticipated formation of a national coalition for grassroots environmental movements, EHRDs and LEDs that will first operate under the banner of CJGEA before its formally registered to exist independently. 5. To equip the organization’s personnel with practical and implementable mitigation measures for the security risks and threats they are facing or are likely to face to ensure the organization and its entire membership are safeguarded at all times.

Commencement of the training

Introduction At exactly 9.00 a.m. after the registration of all participants who were present for the training, Tom Bicko who happened to be the head of the programs department at CJGEA welcomed the members present for the training and introduced CJGEA board chair who gave his welcoming remarks, and officially opened the training. Thereafter, Tom gave the participants a chance to quickly introduce themselves after which he gave a brief speech on why the training was being conducted and emphasized on the importance of holding the security training at that particular time and how the same would impact on the organization’s security and that of its personnel. He finished by opening the floor to the Ugandan trainers who were next in the agenda. Prior to the digital security training, each participant was sent a monkey survey which was a pre-training assessment to guide the trainers on what skills the trainees required most in terms of digital security.

I. Training – Encrypt Uganda (Emmanuel Magambo)

Introduction He began by giving a brief introduction of what they deal with as Encrypt Uganda and thereafter gave an overview of what the training would entail and gave the participants the opportunity to add anything that they felt was important for the training and might have been left out. He then proceeded to begin the training and Tania Okumu was appointed to be the time keeper to ensure that we operated within time. Training overview 1. What needs protection? 2. What are the threats and vulnerabilities? 3. What are the associated risks?

4. How do we mitigate/minimise these risks? Digital security Digital security was defined as the protection of computer systems and data from unauthorised use or harm. Introduction of the concept of CIA triad which needs to be fulfilled at all times when dealing with digital security training.

Figure 1 showing CIA Triad

o Confidentiality (Being able to keep your data safe and using it for the intended purpose without any interference from a third party.) o Integrity (permission to documentation; ensuring nothing has changed) o Availability (have a back-up) Warm up This entailed a self-assessment for digital security risks that one has ever engaged in, each person was given a self-assessment form to fill in and gage themselves by adding the total marks they got to see how safe they were digitally. Here is the Self-Assessment form. As we proceeded with the exercise, we were asked to ponder on the following to specific questions and come give the answers at the end of the exercise.  What made you want to come to the workshop today?  What questions would you like answered?

Threat modelling Threat modelling is the process of identifying potential risks and threats then creating counter-measures to respond to potential threats. It was noted that this is something we actually need to do in everyday life. .

Figure 2 Showing threat modelling cycle

The process entails threat definition which is also the assessment of the threat itself, identification, examination, and mitigation Threat modelling terms There are ﬁve terms used in threat modelling: Assets: These are things we value most Threats: Is anything that can cause damage to an asset Adversary: is the person or organization attempting to undermine your security goals Vulnerability: Is a weakness in an asset Risks: Is a likelihood of something bad happening

Threat assessment Wikipedia deﬁnition: Is the practice of determining the credibility and seriousness of a potential threat, as well as the probability that the threat will become a reality OR: Is the process of identifying possible threats to an asset.

Steps of Threat Assessment The following steps are essential in determining credibility and seriousness of potential threats Step 1: It must identify what needs to be protected, such as physical assets or sensitive information. Step 2: It must identify all of the threats and vulnerabilities that the assets are likely to face Step 3: It must lay out the full implications of what would happen if any of the assets were to be damaged Step 4: It must give solutions regarding how to minimize the asset's exposure to threats.

EXERCISE 1: digital mapping  The following exercise entailed identifying digital assets that we are trying to protect for example  file those under the device/the method we use to store it. The following picture gives an illustration of some of the digital assets we try to protect.

Figure 3 showing some digital assets likely to be protected by an individual/organization

EXERCISE 2: sensitivity level testing

 Group work on deciding the sensitivity level of certain threats on an organisational level. Main takeaways: o There are many high level sensitivity threats; o Perceived sensitivity level is not the same for everyone (discussion about for example official certificates, office contact information) o For low level sensitivity threats, integrity (see: CIA triad) is very important o Differentiate between platform and content sensitivity. For example social media content itself may not be sensitive, but the platform (as a very clear measure for credibility of the organisation), is.

Threat actors Threat actors are people or organisations behind a threat or a malicious incident. i. Insiders - Classified as the biggest threat actors since they have access to most of the organizational resources. The following solutions were come up with to mitigate insiders as a threat: 1. Putting in place access controls 2. Issuance of visitors card to a guest who enters the organization e.g. electricians. This prevents them from posing as or being confused to be part of the organizational staff. 3. Input time restrictions on organizational computers like automatic lockdown after 5 pm to prevent people from accessing organizational resources past working hours. 4. Mandatory vacations/leaves for staff to prevent overreliance on some staff and their unchecked control over organizational resources. 5. Staff job rotation for sharing of skills and knowledge to ensure the smooth running of the organization in case a key employee fails to turn up for work. 6. Clean desk policy where no paper should be left at an employee’s desk. The reason is to prevent visitors from accessing what employees are working on. In addition, it ensures the security of print data as it is safely stored in locked cabinets. 7. Conducting background checks before recruiting employees to evaluate their behaviour, integrity, and qualifications. 8. The signing of a non-disclosure agreement by employees to ensure that they do not disclose organizational information to outsiders. ii. Competitors - The risk is invisibility of our organisation iii. Organised crime - e.g. someone within government can access your information, or Safaricom mobile company can release your data to the authorities etc.

Forms of threats EXERCISE 3: Forms of threats that our organisation has faced or may face in the future The discussion on threat actors led to a conversation on the forms of threats that CJGEA is likely to face. A debate was done on both personal threats that the board, staff, and organizational stakeholders can face and those threats that face the organization as an entity. The following forms of threats were discussed:

1. Intentional It is an intended act by a person or organization to harm CJGEA systems and data trough: infection of virus, malware or adware; theft; access of unsecure sites that can lead to loss of data integrity, malware infection or phishing, lying to obtain sensitive information (e.g. M- pesa), threatening, kidnapping, physical violence. The main point was that intentional threat is planned for and executed willingly by an organization or individual with the aim of harming the entity.

2. Accidental threats: Threats are sometimes accidents due to some internal issues such as: a. Human mistakes: losing data by mistake, not saving documents while working on them b. Material malfunction: Power outage, system crushing, fire, road accidents etc.

3. Natural These are threats that are beyond the control of human beings, they are events that occur naturally without the contribution of man. They include lightning, flooding, wildfires, landslides, strong winds, hailstorm animal attacks. It was also acknowledged that these impacts may severely increase due to climate change. Natural occurrences like heavy rains have destroyed CJGEA CCTV cameras on several occasions making the organization incur costs in repairing the cameras. 4. Internal These are threats that arise from within the organization and they include:  Use of outdated software  Use of weak passwords on computers  Employee’s negligence and ignorance e.g. using an inactivated operating system and Microsoft office.  Lack of back-ups for data  Poor IT infrastructure  Blackmail, corruption, and threats  Rodents eating away cables e.g. CCTV cables leading to poor surveillance  theft (data/physical assets)  Not having a clear visitor policy

Threat Analysis It is the process of identifying and managing potential threats. The process is a cyclic one that begins with risk identification, risk measurement, risk response and finally review and monitoring which leads back to risk identification. The following were identified as the main threats that CJGEA would encounter.

Threats to be aware of: ● Malware ●Ransomware ● Surveillance ● Cyber bullying ● Adware ● Man in the middle ● Spyware ● Phishing ● Hacking ● Break-ins

● Theft of gadgets ● Risk analysis ● Identity theft

Exercise 4 The identified risks were then measured by filling in a risk register form and using a risk register provided by the trainers. Risk such as hacking was ranked as being critical based on the register after using the formula: Risk = likelihood (probability) X impact

Cvx Figure 4 showing risk register

Table 1: Showing risk register form

ID Threat Threat Probability Impact Risk Risk type description ranking response action

NB: Risk = likelihood of something bad happening or likelihood of a threat exploiting a vulnerability

Risk response A risk response was thereafter discussed after risk identification and measurement. Risk response is the process of controlling an identified risk and it involves the following measures:

Thursday October 17

I. Recap of Day 1 As usual the training commenced by the registration of the participants at 8:00 a.m. and by 8:30 a.m. Mr. Magambo from Encrypt Uganda took over the program to continue with the training. The participants reminded themselves of the important things they learnt the previous day and they were actually able to identify what threats are and how they can identify them? II. Training rest of day 1 – Encrypt Uganda

Risk mitigation (as a form of risk response) Risk mitigation is the process of planning for disasters and having a way to reduce the negative impacts: It involves having controls and best practices. Such as

Basic computer security tips: 1. Install and enable firewall. Firewall is a Microsoft Windows application that filters information coming to your system from the Internet and blocking potentially harmful programs. Safe firewall applications may include: a. Ptsense (free) b. Sophos (premium)

c. Comodo (premium) etc. Windows Firewall allows you to customize settings for both private and public networks. You can also turn the software on or off (on by default) in windows 10 as it is inbuilt system. Use the following steps in Windows 10:  Go to the search box.  Type firewall and click Enter.  Select Windows Firewall.  Turn Windows Firewall on or off.

2. Use anti-malware Antimalware (anti-malware) is a type of software program designed to prevent, detect and remove malicious software (malware) on IT systems, as well as individual computing devices. Antimalware software protects against infections caused by many types of malware, including all types of viruses, as well as rootkits, ransomware and spyware. Antimalware software can be installed on an individual computing device, gateway server or dedicated network appliance. It can also be purchased as a cloud service - such as McAfee's CloudAV product -- or be embedded in a computing device's firmware. Among some of the antimalware services available in the market include: a. Sophos (free) b. Kasperky (premium) c. Mcafeee (premium) d. Norton (premium) e. Avast f. MCafree NB: even though some of these may offer partially free services, these are not as complete as the paid ones. Whatever anti-virus software you choose, it should be protecting online activity as well as offline activity. 3. Use an account without administrator’s rights if other people want to use your device 4. Use password protected screen saver 5. Password protect start-up login: demonstration a. Bios 6. Enable full disk encryption 7. Keep an updated backup of your data 8. Use cable locks (a physical lock that you can use to secure your device) 9. Never leave your computer unattended to (timed screensaver)

Data protection There exist two forms of data that include: o Data in transit: Is data actively moving from one location to another such as across the internet or through a private network (e.g. email). o Data at rest: stored on hard drive, laptop, flash or other storage mediums

Best practices for data protection (for both forms of data) The following should be practised to ensure that both our data on transit and at rest are protected and safe at all times.

Data encryption and backup tools The following were options given to the participants to choose from when looking for applications and soft wares to use for backing up data and encrypting them as tools. 1. Bitlocker (demonstration): drive encryption for windows This allows you to encrypt your laptop and the advantage with it is that the password can never be bypassed at least for now. The trainers took us through a practical demonstration that allowed the participants to follow keenly and teach themselves on how to set the bitlocker password on their computers.

Steps to follow when setting up bit locker password on your computer  Search for edit group policy on search box and press enter key.  Choose local computer policy  Choose administrative templates  Move to windows bitlocker  Move to operating systems drive  Move to require additional authentication at start up  Set the bitlocker password that you will never forget  Reboot the computer to have the password functioning

2. Veracrypt: disk encryption software Veracrypt allows one to protect their data by hiding the sensitive documents or data so that a third party is unable to access it even if they were to access the computers. The trainers took us through the process of how the application works. The first step is to download it from their safe site on the internet and thereafter installing it in the computer. After that, it would be following the steps of setting up the passwords and transferring the documents to Veracrypt to keep them safe.

Other data back-up tools include:  filevault2;  iCloud;  Axcrypt;  Dropbox;  PGP-pretty good privacy;  Azure  Tresorit (1 terrabite);  It is recommended to have a  Time machine; password of at least 20 characters  Google drive sync;

Persona A persona is a “character”, or “proﬁle” of a user, that represents a summary of real, community-wide characteristics Importance of a person:  It allows digital security trainers to better understand participants during trainings.  It helps trainers determine what topics should be covered and the best mitigation strategies to recommend.  A persona facilitates threat-modelling activities during training.

III. Online safety Online safety represents the process of staying safe on the Internet 3. Online threats include: Malware, Phishing, Rootkits - piece of data that starts tracking your every online move and send it back to a server, Trojan horse: presented a gift that is threat, Dos and DDos: (Distributed) Denial of Service, Spamming, Man-in-the- middle etc.

Phishing Phishing: Is the fraudulent attempt to obtain sensitive information such as usernames and passwords by posing as a legitimate person or entity.

How to Identify Phishing Attacks:  Emails with generic greetings  Emails requesting personal information.  Emails requesting an urgent response  Emails with spoofed links. Steps to mitigate phishing:  Verify every email sender’s address

 Conﬁrm sender’s identity if unsure  Report suspicious activity to technical teams or IT personnel  Don’t open email attachments from unknown senders  Think twice: Don’t click on links in suspicious emails  Double check especially if the email is about sending money, bank details or sensitive information

Man-in-the-Middle attack Is a cyber-attack where someone gets in between you and your online activity? Common targets: a. Online shopping b. Online banking c. Email accounts etc. Man in the middle attack prevention  Avoiding Wi-Fi connections that aren’t password protected.  Enforce HTTPS connections  Use a VPN  Not using public networks when conducting sensitive transactions

Safe web browsing Browser: a program you use to view websites on the internet (e.g. chrome, safari, Microsoft edge etc.) Protecting web browsing  Customise security settings  Use a VPN to hide identity  Update your software  Never store passwords in your browser  Block pop-ups and scripts HTTP vs. HTTPS: HTTP - Hypertext Transfer Protocol HTTPS - Hypertext Transfer Protocol Secure. HTTPS is far more secure than HTTP.

Web browser security extensions:  HTTPS everywhere: to get HTTPS connections on most sites  Avast online security: detects dangerous sites - Protect against phishing scams  Privacy badger: block sites that want to track your browsing habit  Click and clean: clears traces of online activity  Adblock plus: blocks ads in browser

SOCIAL MEDIA SAFETY

Social Media Essentials 1. Security Features and Privacy Settings: Connection Security - Does the social media site provide a connection over SSL. If it doesn’t, your content can be seen as it is sent between you and the internet. Privacy Features -What privacy options are provided for users? - Is all of your information available to those with an account? - Can you choose to share personal data or shared content securely with a small number of users? Or is it shown to all users by default? Location Tracking What Are You Choosing to Share? - When you share information you might be making information available about yourself and others to people who want to abuse or misuse it. Who are your friends? - Do you know all these people? Do you trust them with everything you post online that they can see? Don’t accept “friend” or contact requests easily. In particular, ask yourself:

EXERCISE: The trainers engaged all the participants in an exercise that involved being taken through steps to change personal settings on Facebook for optimised security. Most participants actually realized that they were exposing too much information than they were supposed to in the social media which was not a good thing for their security.

EMAIL SECURITY Email safety describes various techniques for keeping sensitive information in email communication and accounts secure against unauthorized access, loss, or compromise. The need for email safety: d. To protect confidential info e. Avoid identity theft f. Phishing g. Malware

Email security of best practices

Password management and 2 step verification Password: access control for optimised security/protection Challenges of password management  Beware of spoof logins: where your password is stolen through a fake portal  Sniffing attack  Shoulder surfing attack (physically looking over someone’s shoulder)  Brute force attack  Phishing attack Traditional methods of password management The participants were told to refrain from using the traditional methods of password setting and password management as them are not safe. Some of them include:  Writing down passwords on sticky notes, note books, etc.  Sharing them via spread sheets, email, telephone, etc.  Using simple and easy to guess passwords  Reusing them for all web applications Examples of weak password  Any word that can be found in a dictionary (e.g. security, mother etc.).  A dictionary word with some letters simply replaced by numbers (e.g., a1rplan3 or aer0plan0).  A repeated character or a series of characters (e.g., AAAAA, ABCD or 12345).  Personal information (names of your kids/friends, birthdays...etc.).  Anything that’s written down and stored somewhere e.g. near your computer.

Most people came to realize in the training that actually they had weak passwords and were left with no option but to change them into strong passwords to ensure that they are fully secure at all times.

Attributes of strong passwords

Strong passwords are unique; very long; fresh; practical; impersonal; a secret mixture of upper/lower case letters; numbers and special characters.

Password managers These are tools used as digital vault to stores your login credentials safely some of them include:  Keepass  Lastpass

Two-Factor Authentication/Veriﬁcation An extra layer of protection used to ensure the security of online accounts beyond just a username and password. The trainers took us through a practical demonstration of how to set up a two factor authentication on our email accounts. The two factor verification allows your activity on your email account to be connected to your cell phone, in that before you to sign into your Gmail account, a notification with a code will be sent to your phone to allow you verify if you are truly the one who wants to access your account. This has made it impossible for people to hack personal and work accounts of people as they must first have your phone to accesses your account.

Figure 5 illustrating how 2 factor verification works.

Mobile security The following are Points to consider in knowing whether you secure or not.  What is the content of your communications?  With whom do you communicate?  When?  Where are you calling from?  What device are you using? Mobile security related issues: The following are some of the security risks that the trainers and the participants identified as security related issues to mobile phones.  Physical security (lost, stolen, borrowed)  Phishing (Soliciting of sensitive information)  Bluetooth attacks (Bluejacking - Bluesnarﬁng)  Application security: (Request too many privileges)  Malware attacks: (Trojan -viruses –spyware)  Phone tapping: - (Government -Service Providers)

Mobile phone protection: The following should be considered to ensure the safety of our mobile devices at all times.  Use a passcode  Be selective with your apps  Keep software up to date  Install mobile anti-malware  Write down your IMEI  Connect to secure Wi-Fi and use a  Enable remote wiping VPN  Enable mobile encryption  Completely wipe all data on the  Backup your phone regularly phone before disposal  Turn off inactive Bluetooth

Secure mobile applications: The following are some of the applications that were identified as secure to use on mobile phones. Most of the activists actually use the following application for their security.

 Signal, Chat secure, Silence, Sophos,  Kaspersky, Whatsapp, NordVPN, Telegram,

 Comodo android Antivirus, Mcafee.

CONCLUSION The digital security training session came to a conclusion at 6:08 p.m. on this day with a word from Tania Okumu who gave the vote of thanks to the participants together with Silas Enane on behalf of the board. The trainers also thanked us so much for our cooperation and on our attendance of the training. All the participants were given a chance to voice out their views on how they felt about the training and whether they had learnt anything. The reviews from the participants were mostly positive and they expressed their gratitude as they had the chance to learn a lot of digital security tips which they were not privy to before. The participants exuded confidence that their digital security was going to improve tremendously as they now had the knowledge to control the threats that they experienced before or those that might come their way in future with regards to their digital security. The trainers encouraged us to put into use the security tips they trained us on and told us to never hesitate in reaching out to them whenever we needed any assistance in terms of digital security. They also promised to send a post-training assessment to each participant which they fulfilled when they sent the monkey survey two weeks later after the training.

The following were among the security tips that the participants were able to grasp from the training.

General Digital Security tips from the training.  Think before you download software and stay up-to-date  Use unique and complex passwords  Use a password manager  Enable 2-factor authentication on all your accounts  Use end-to-end encrypted communication tools  Encrypt your hard drive and phone  Choose the right web browser and security settings  Detect and prevent phishing attempts  Encrypt and backup your data  Anti-malware protection is a must  Don't store passwords with your laptop or mobile device  Set your device to automatically lock after a period of inactivity  Don't use the same password for more than one account or service  Develop a security plan  Always register and assess each threat you face  Never leave your devices unattended to.

2.0 PHYSICAL SECURITY (SECURITY MANAGEMENT) TRAINING HELD ON FRIDAY, 18TH AND 19TH OCTOBER 2019 AT KILIFI BAY HOTEL.

Introduction This was the third day of the training which marked the commencement of the physical security management training. This was a very critical part of the training as we were to be trained on the physical security risks we are likely to face as an organization and develop ways of how to protect ourselves from such security risks. CJGEA has faced several physical security risks in the past and this is most likely to escalate as we approach the court ruling in 2020. This training therefore came at an ideal point in time to prepare us early enough psychologically and physically on what is to come. The training delayed a bit as the trainer who was to train us on the session failed to show up for the training sighting frustrations at the airport. Mrs Salome Nduta of NCHRD-K reported late to the airport and hence missed her flight to the training. This was unfortunate as we were looking forward to the third day of the training commencing smoothly as the previous two days. It also meant loss of funds for the organization which was not good for our budgeting. Luckily enough, she managed to send one of the consultants that NCHRD has worked with for a long time to come and conduct the training for us and we were glad for that. The trainer was briefed by her and me on the security areas that we felt we needed training on and we were good to go. Everybody went through the registration process for the security management training and here is the participants list.

Physical security management training – Patrick Ochieng’ Mr. Patrick Ochieng’ who was the new trainer from one of the consultancy firms that work closely with NCHRD came by 9:40a.m and by 10:00a.m the training began.

Definition of security management The trainer went through the program and the training commenced by us understanding what a comprehensive physical security management meant. The following was given as an overall meaning of security management. Security management is the identification of an organization's assets (including people, buildings, machines, systems and information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets. An organisation uses such security management procedures as asset and information classification, threat assessment, risk assessment, and risk analysis to identify threats, categorise assets, and rate system vulnerabilities so that they can implement effective controls.

Session objective Mr. Patrick went ahead to explain that the session objectives were to understand the environment that we operate in for security reasons and, learn and understand different contexts of stakeholder analysis. In addition, he said that physical threats against defenders are also perpetrated by global companies; it was therefore a must therefore, that we think

18 globally to address them. Furthermore, he explained that environmental defenders are targeted for what they do and who they are. The session objectives were listed as below:  To outline and discuss physical security measures that respond to the needs of the Centre  Scope:  Individual Protection of the organizations personnel  Working environment of HRDs  Key topics  Working Environment Analysis  Political, Social, Economic, Environment…  Force Field Analysis  Stakeholder’s Analysis  Conduct a Risk Assessment  Coping and reacting to threats  Developing a security plan  Security tips for HRDs Session Methodology The training applied the following methodology to ensure that knowledge was transmitted from the trainer to the trainees efficiently.  Plenary discussions  Group work  Brainstorming  Energizers  Case Study  Power points  Buzz groups

Why the security training was important at the particular time.  Because of the work the organization is involved in as an Environmental Human Rights organization.  Environment, is also related to overexploitation of resources, greed;  Environment and human rights are very closely linked;  Dimension of power (vested interests)  In confronting power, that is where it gets dangerous - punishment for confrontation of power. The trainer noted that the training will take on a strategy of focusing on discussion of personal experiences and not purely on teaching.

Exercise to create a Learning Environment After the introduction part we moved into the warm up session where we were divided into two groups and instructed on how to compete. The game was to prepare us on for the training. The game involved three characters i.e. rabbit; wall; arrow whereby an arrow kills a rabbit but cannot pass through a wall. Consequently, a rabbit can jump over a wall but cannot escape an arrow. The two groups therefore had to face backwards and choose one of the characters and turn facing each other at the same to choose which group one according to the character they chose.

Reflections from the game  Tried to understand the other group, thinking of tactics, compromise had to be made.  On leadership: at first, everyone wanted to be a leader in order to choose what character the group should pick on. Relating this to security: . This game might be reflective of challenges we face; everyone has some ideas on how they think we should deal with it. Sometimes one concedes, without agreeing. . With security, compromises are very “expensive”. One wrong decision can have very serious impacts. . There are variables you can’t control (the other people, in this case) It is worth noting that the second group won the game defeating the first group 2 to 1.

Some of the main objectives to be achieved during the training included: Outlining and discussing physical security measures that respond to the needs of the organization:  Individual protection of CJGEA personnel: this comes first, as this is the identity you carry first.  Working environment of the organization. Key topics to be tackled were:  Conducting a working environment analysis (political, social economic, environment) i. Force field analysis ii. Stakeholders analysis  Conducting a risk assessment for the organization  Coping and reacting to threats that are likely to be associated with the organization  Developing a security plan that will protect the organization and its personnel  Identifying and disseminating security tips for the organization’s personnel

Understanding context Context and working environment We were made aware of the importance of understanding our working environment for security reasons. We got to learn that there are forces involved in our work and they include those that resist our work; those that support our work, those that are hidden and we don’t know about them those that are undecided since they are not sure on which side they stand.

Actors and stakeholders i. Corporate world These mostly consist of the businesses and profit making organizations, they always wants profit, at whatever costs, even killing to the point of killing for it. Most of these companies according to the trainer are global, so the scale of one killing almost seems to dwarf in their company “balance” as they have no regard for human life but rather profit and ready cash. We should therefore always think of the risks we might face not on a local scale alone, but

also at a global scale since a global company might be the one posing security threats to organizations like ours. ii. Political These are the government authorities that wield the symbols of power and are mandated to govern and rule. The political class have the power to decide on behalf of its citizens. The relationship between the government and the organizations can be divided into three categories depending on the context in which an organization relates to that government.  Convergence – This is where the political class work closely together in harmony with the organizations. This can be as a result of an organization supporting an initiative by the government. This makes the government want to be closely associated with such organizations.  Divergence – This is when the government works against you. This may arise when the organization in question is against certain policies employed by the government to stamp its authority. They may range from abuse of public office or violation of fundamental human rights.  Suspicion – This is where an organization is not 100% sure whether the government is working with them or against them. This can be due to many factors as an organization may feel the government is leaning to their side and at the same time suspect it’s working against them. iii. Economic - We must understand the context of the stakeholders in these fields to have the appropriate security measures. Economic factors that may lead the organization to face serious security risks include the failure to comply with the tax obligation and the lack of receiving donor funding to run its activities. iv. Environment – The environmental factors like e.g. climate science and change can affect the work of organizations.

Examples of Safety threats experienced by participants

Anastacia Nambo Ha faced several security risks and threats for defending against lead poisoning in Owino Uhuru community. The security threats range from raids, arrests, and death threats. At some point, she has to flee to Uganda to seek asylum from her transgressors. The threats faced by Anastacia were emanating from both state and private actors

Hamisi Diyo Hamisi Diyo was a smelter worker at the lead smelting industry that was located in the Owino Uhuru community. He also doubles as a board member of CJGEA representing community interests in the board. Hamisi Diyo was a witness in the on-going class action litigation suit and for this reason; he has faced a lot of threats to his security. At one point, CJGEA had to relocate him to a safe house where they stayed for some time with the other witnesses. Hamisi fears that the security situation of the organization is going to worsen even as we approach the ruling of the case next year.

Analysis Understanding your environment The trainer made it clear to us that we are targeted as an organization because of the kind of work we do and who we are and what the government perceives us to be.

Self-Assessment: field force assessment In two groups, we were given the self-assessment form to fill out to try and find out how much we understood our working environment.

Figure 6 Template for filling out the self-assessment to identify the working environment

Reflection on self-assessment: field-force assessment From the small exercise we conducted, we found out that  Some powers can be supportive on one side and opposing on the other (think e.g. government).  Dictatorships may come in different forms: a) Right now, we live in totalitarianism, but it is inverted. It may look democratic, but we cannot do certain things like demonstrate freely (is dispersed on start), b) Extra-judicial killings. Over the past years, more than 50 extrajudicial killings have been recorded. There exist many other cases that have not been recorded (Examples given for some of the extra-judicial killings include bodies in Tsavo, killing of Makaburi and Aboud Rogo)

 At the early stage of the training when we did the exercise we tried to understand our environment of operations, but we were not yet well capable to specifically define supporting/opposing forces (e.g. donors) - This makes a difference, because private donors may be able to do certain things that you cannot do with government money and vice versa for example if we accept USAID money, we may become fund managers  It was deliberated that going forward we had to be more specific in identifying and analysing the kind of environment we work in.

 Collaboration with allies is very important; when you have measures placed against you, you have somewhere to go. If you exist in monopoly, the state will find you and will profile you a certain way (example of students who were involved in student riots at Nairobi university)

N/B i. The government can use your weakness to pin you down e.g. failure by the organization to comply with the tax remittance regulations. ii. Human Rights Activists are nowadays targeted in a different way like it used to be in the 1980s. The government nowadays kill the EHRDs in secrecy like in the case of Willie Kimani unlike the way it used to be then. This even calls for the activists to be more cautious than ever. iii. It is very critical that the organization maintains its identity especially now that the high court ruling in the Owino Uhuru case is approaching. This will ensure that the government (respondents) do not back track in its obligation to the organization and the community as the court might direct sighting reasons that the same entity that sued them is not the one receiving compensation. iv. We need to prepare for any outcome in the Owino Uhuru Litigation Suit as the government might influence the court’s decision or might decide to appeal the caser altogether of the community and the organization wins v. The Board members are nowadays liable to any shortcomings in the organization and therefore they are answerable to the government if anything goes wrong in the organization. The board should therefore ensure that the organization is run according to the laid down principles to avoid any security risks facing the organization. vi. Start thinking about safety in this way: if we as CJGEA are doing a court case, think about if (and how) this affects you on an individual level

PESTLE ANALYSIS MATRIX PESTLE analysis is a concept in organizational/corporate principles? Moreover, this concept is used as a tool by companies/organizations to track the environment they’re operating in or are planning to launch a new project/product/service etc. PESTLE is a mnemonic which in its expanded form denotes P for Political, E for Economic, S for Social, T for Technological, L for Legal and E for Environmental. It gives a bird’s eye view of the whole environment from many different angles that one wants to check and keep a track of while contemplating on a certain idea/plan.

There are certain questions that one needs to ask while conducting this analysis, which give them an idea of what things to keep in mind. They are:  What is the political situation of the country and how can it affect the industry?  What are the prevalent economic factors?  How much importance does culture has in the market and what are its determinants?  What technological innovations are likely to pop up and affect the market structure?  Are there any current legislations that regulate the industry or can there be any change in the legislations for the industry?  What are the environmental concerns for the industry? All the aspects of this technique are crucial for any organization especially one like ours. More than just understanding the working environment, this framework represents one of the vertebras of the backbone of strategic management that not only defines what an organization should do, but also accounts for an organization’s goals and the strategies stringed to them. It may be so, that the importance of each of the factors may be different to different kinds of organizations, but it is imperative to any strategy a company wants to develop that they conduct the PESTLE analysis as it forms a much more comprehensive version of the SWOT analysis.

Political factors These factors determine the extent to which a government may influence the organization or a certain company. For example, a government may impose a new tax or duty due to which entire revenue generating structures of organizations might change. Political factors include tax policies, Fiscal policy, trade tariffs etc. that a government may levy around the fiscal year and it may affect the business environment or organizations operating environment. The discussion on the Owino Uhuru Class Action litigation suit and how political factors would affect it came up. The participants agreed that it is best to use a litigation suit as the last resort to environmental injustice. The reason being that the court case starts at the high court and takes a lot of time and finances e.g. the Tuna Sauti suit has taken three years and is yet to be finalized. In addition, the decision by the high court can be appealed at the court of appeal, and the court of appeal decisions can also be appealed at the Supreme Court. This process would consume a lot of money, time and resources. The board was brought up to speed on the fact that nowadays the Board members are the ones liable to answer any lawsuits brought against the organization by the government and hence they should always be aware of the fact that the organizations work can directly affect their private lives. The government nowadays tend to come for the BOD governing the organizations in case of any issues like tax evasion and so on. It is therefore critical that a policy is put in place, if it’s not already available, to protect board member’s from personal liability in case of lawsuits or organizational debt payments. Their properties should not be auctioned to pay off organizational debts as the government does nowadays. The discussion highlighted that it is important for CJGEA to note key political players that support their work, the declared and underlying interests of the political players,

24 the conflict present and its nature and how political powers interact with human rights defenders.

Economic factors These factors are determinants of an economy’s performance that directly impacts a company and have resonating long term effects. For example, a rise in the inflation rate of any economy would affect the way companies’ operations and services are rendered. Adding to that, it would affect the kind of activities the organization can handle. Economic factors include inflation rate, interest rates, foreign exchange rates, economic growth patterns etc. Participants analysed how economic activities affect environmental and human rights defenders' security. The defenders advocate for environmental protection and justice and create awareness against profit organizations that strives to maximize their profits while neglecting people’s rights. This creates a hostile situation between them as the profit organizations view them to be blocking their path to riches. Therefore, they use their multiple resources to get them out of their way. The organization should therefore ensure that it analyses the economic factors properly before venturing in any projects to find out what kind of corporates they will be going against.

Socio-cultural These are threats emerging from traditional norms and cultures which vary from one culture to another or one county to another based on the prevailing cultural norms. Most religious leaders support CBO’s bid for human rights as their moral and religious responsibility to the nation. Their value for human life and their rights and freedom makes them support CBO’s bid in ensuring that these fundamental rights and freedom are upheld. Mr. Patrick emphasized that the most important interest of public litigation should be the creation of awareness and community mobilization, the court case should only be a small component of the issue. This enables the community to move forward and cope in case the judge rules against them due to the knowledge they have gained from awareness and mobilization. CJGEA must strive to have a very strong and supportive relationship with the community to promote their continued partnership through dark times. The good relationship will enable the community to notify them of any planned attack or threat that they hear which is directed towards the organization. The socio-cultural aspect concluded by noting that security incidents represent the minimum unit of security measurement. In addition, a discussion was done on how to deal with security incidents through three stages:  Registering the security incidents  Analyzing the incidents  Reacting to the incidents

Technological factors These factors pertain to innovations in technology that may affect the operations of the organization favourably or unfavourably. This refers to automation, research and development and the amount of technological awareness that the organization possesses.

Among the threats that can come with technology include misuse of information which can have catastrophic impacts to the organization. The organization should therefore for example have a data protection law before giving out all (biometric) data to ensure that no risks are associated with the data/information we share out there.

Legal factors These factors have both external and internal sides. There are certain laws that affect the organizations operating environment in a certain country while there are certain policies that companies maintain for themselves. Legal analysis takes into account both of these angles and then charts out the strategies in light of these legislations. A good example of the legal factors that affect the organization and its work may include the introduction of the public order act which is on picketing whereby the law requires the person who calls for a demonstration to be liable for any form of destruction of property that may take place during the demonstration. Other laws include the blatant refusal by the government to implement the 2013 Public Benefits Organizations Act that could seriously improve the work of civil society actors, the Cyber Crimes act and the Huduma Bill. The government is therefore should be privy of the legal factors that can affect the work in the organization. One important issue that came up was the lack of environmental judges in the country, an issue that greatly affects how environmental litigation suits are carried out. It is important for the state to have environmental law as one of the branches of law that will be studied by law students who want to specialize in environmental issues. This would ensure that there is the availability of judges with legal knowledge and capacity to preside on environmental litigation suits. In the meantime, it is important that CJGEA involves judges in their environmental awareness campaigns to build their capacity on environmental matters.

Environmental factors These factors include all those that influence or are determined by the surrounding environment. This aspect of the PESTLE is crucial for certain organizations and industries particularly for example tourism, farming, agriculture etc. Factors of a business environmental analysis include but are not limited to climate, weather, geographical location, global changes in climate, environmental offsets etc. There exist several environmental factors that are a security threat or create opportunity for security of the organization. Things like floods and too much rainfall are capable of destroying the organizations assets like CCTVs. Also most of our work as an organization takes us to the field to interact with the communities’ one on one hence bad weather conditions like heavy rainfall might hinder the successful implementation of our projects. The organization must therefore conduct a thorough environmental analysis before conducting any activity. There are many templates available for companies to conduct PESTLE analysis. Many organizations have provided information regarding their PESTLE analysis as case studies available on the Internet.

Important to note on PESTLE Analysis 1. Each county has a unique security context. It is therefore very critical for the organization to conduct a comprehensive PESTLE analysis in each county they intend 26

to expand their work to before implementing any projects in those areas. This will ensure that they understand the different security contexts in those places in relation to the PESTLE analysis. For example currently most CSOs in Kenya are dead as they identify with the government and tend to support all its policies whether retrogressive or not since the president is from the region and they would not want to antagonize his leadership. 2. The organization should consider greatly the option of expanding in phases as opposed to doing it at once in all the 47 counties. This is because the strategy of expanding once horizontally is very dangerous and not practical especially for an organization like ours which is not receiving huge donor funding. It is also not the best strategy to employ as there have been unpleasant experiences with the other NGOs that tried that in the past. The Organization should consider like expanding in five counties at a time and establishing their base firmly before expanding further. 3. Anything that depends on mutual relationships without financial support is very fluid and therefor the organization should never fully put their hopes in such relationships but should always be cautious and watchful of such agreements. 4. Different personnel at the organization will be targeted differently. For example the threats that will be levelled against the BOD will be different from the one levelled against the staff especially the Executive Director. 5. A PESTEL analysis should go in line with the risk assessment and a stakeholder analysis 6. The organization should always have a backup or plan B whenever a disaster strikes. 7. For purposes of prevention, a PESTEL analysis is very important.

STAKEHOLDER ANALYSIS A stakeholder analysis is a process of identifying these people before the project begins; grouping them according to their levels of participation, interest, and influence in the project; and determining how best to involve and communicate each of these stakeholder groups throughout. The purpose of stakeholder analysis 1. To enlist the help of key organizational players -By approaching company influencers, executives, or valuable stakeholders for help early in your project, you can leverage the knowledge and wisdom of these key players to help guide the project to a successful outcome. Enlisting these players early on will also increase the chances you will earn their support for your project. But before you can determine which influencers and other key stakeholders to approach, you’ll need to conduct a stakeholder analysis. 2. To gain early alignment among all stakeholders on goals and plans - Because your stakeholder analysis will help you determine which people to involve in the project, you will then be able to bring these people together for a kick-off and early-stage meetings to communicate the project’s strategic objectives and plans. This will help ensure everyone starts the project with a clear understanding of what success will look like and how they can contribute to that successful outcome.

3. To help address conflicts or issues early on -Without a stakeholder analysis, you and your team could be well into a company project before you realize a key person in your organization perhaps an executive does not see the value of your initiative, or would prefer to redeploy some of your resources to other projects. Such a person might actively work to thwart or derail your project. If you had conducted a stakeholder analysis before you began, you would have likely identified this executive as potentially important to your project’s success. You could have then presented your plan to the executive, listened to their objections, and worked to earn their approval to proceed.

Why the organization should conduct a stakeholder analysis Conducting a stakeholder analysis can be strategically valuable when kicking off any type of complex organizational undertaking. The more stakeholders you can identify early on and the more you can tailor your communication to win approval and support from the various types of stakeholders, the more likely your project is to succeed.

How to conduct a stakeholder analysis Step 1: Determine who your stakeholders are Start by brainstorming with your team a list of all possible stakeholders for your project. You can reduce this list later, but you don’t want to miss a potentially pivotal stakeholder at this early stage.

Step 2: Group and prioritize these stakeholders After you’ve completed your brainstorming session above and determined which people and teams will indeed be stakeholders, you should start categorizing them in terms of their influence, interest, and levels of participation in your project. One example of how to do this is by using the power/interest grid .

High power, high interest: These are your most important stakeholders, and you should prioritize keeping them happy with your project’s progress. High power, low interest: Because of their influence in the company, you should work to keep these people satisfied. But because they haven’t shown a deep interest in your project, you could turn them off if you over-communicate with them.

Low power, high interest: You’ll want to keep these people informed and check in with them regularly to make sure they are not experiencing problems on the project. Low power, low interest: Just keep these people informed periodically, but don’t overdo it. Another approach, popularized in mapping out strategic success groups stakeholders into four different but similar categories:

Players: These are the high-power, high-interest individuals with whom you will want to collaborate and keep fully engaged. Subjects: These are the low-power, high-interest stakeholders who can offer great insights and ideas for the project but whom you don’t need to always say yes to. Context-setters: These high-power, low-interest stakeholders (heads of departments, for example) can have a lot of influence over the project but don’t want to be involved in the details. Keep them up to date. Crowd: Finally, the low-power, low-interest stakeholders are called the crowd. These individuals will require some ongoing communication about the project’s progress but probably the least of all stakeholders.

Step 3: Figure out how to communicate with and win buy-in from each type of stakeholder Once you’ve built your list detailing which stakeholders fall into which category, it’s time to think strategically about how best to earn the on-going support of each of these stakeholder types. You will want to ask yourself questions about your stakeholders such as: What motivates this stakeholder? What other priorities do they have, and how can we align our project with those priorities (or at least ensure the project won’t threaten them)? Will this stakeholder likely have a positive view of our project? If not, what can we do about it? Stakeholder analysis in the context of the organization (CJGEA): It is important for CJGEA to know its supporters, what kind of support they give, their interest in the organizational work, the work they engage in and their relationship with other organizations. Stakeholder analysis will enable the organization to classify its stakeholders based on the kind of support they give and their capacity. This makes it easier for the

29 organization to know the specific stakeholder to go to for certain support and much they can offer towards the organization. Three classifications of stakeholders the organization should prioritize include primary stakeholders, duty-bearers stakeholders, and key stakeholders. Primary stakeholders were classified as the environmental and human rights defenders and the people that they work with. Duty-bearers are those responsible for protecting the EHRDs and this is the responsibility of the Kenyan government, which cannot be excused in this critical mandate. Finally, key stakeholders are those that can influence the protection of EHRDs and organizational personnel.

Important to note i. Company/organization projects require participation, guidance, and approval from a wide range of people across the organization. If they don’t understand or agree with the project’s objectives or execution plan, any of these company stakeholders can become obstacles to the project’s success.

ii. If you enlist the help and approval of your stakeholders early on, you can turn many of these individuals into avid supporters of your initiatives. This is why it is a smart strategy to conduct a stakeholder analysis before launching any complex company project, to identify all potential stakeholders and determine how best to earn their support. iii. It was noted that the organization should have as many stakeholders as possible to be their allies to be able to counter risks as they come as the organization will have strong backup support. iv. It is also very important for the organization personnel to be able to keep their families out of their work or prepare them early enough on the kind of work they are involved in. This will help protect them as when stakeholders who are your adversaries are unable to reach you, they go through your closest relatives to get to you.

v. Stakeholder analysis is very critical for the organization to identify its allies and adversaries. Therefore the following for steps should remain critical in Stakeholder analysis. . Identifying the wider protection issue . Who are the stakeholders? . Analysing the stakeholders’ characteristics and particular attributes, such as responsibilities in protection, power to influence the protection situation . Investigate and analyse relationships between stakeholders vi. At any point when the organizations personnel are in the field, they are supposed to be able to master their environment so well and mark all the places they visit and

people they come across. This will help in rescue operations in case of any attacks on them and help in connecting the dots.

EXERCISE: PESTEL AND STAKEHOLDER ANALYSIS This exercise involved choosing any Security incident or event which the participants thought could affect their personal or organizational security. (25mins) The formula: Risk = (hazard x vulnerability) / capacity The exercise followed the four critical steps that are necessary for stakeholder analysis.

Saturday October 19

I. Introduction The session began at 8:30 A.M with the registration of the participants for the day. This was the last day of the training according to the time frame.

Recap of the previous day The session began by Mr. Patrick conducting a recap of the previous day. What do you remember from yesterday, and how did you feel? The following were some of the most important topics remembered by the participants on the previous day.  Importance of collaboration with other likeminded organizations  PESTEL Analysis  Stakeholder analysis  Importance of running the organization in compliance with the required procedures like filing of taxes.  Importance of differentiating between allies and adversaries.  The security tips; how to analyse the political situation  Yesterday was good for everyone’s understanding of what EHRDs go through, and how we should protect ourselves  Contingency plan (tell close people about what you are doing and the risk involved); CJGEA expansion and the location-based risks. Contextually is super important  Risk = (hazard x vulnerability) / capacity  Differentiation between vulnerability and risk; what is an asset  Whoever your perceived enemy is, they will pick up on your weak points

Discussion on exercise of security analysis From the discussions on PESTEL and stakeholder analysis we found out that there exists certain opportunities for the organization some of them are as below.

Political: An opportunity was found to exist here in that government agencies like NEMA can boost the work of the CSOs by helping in implementing or addressing some of their

31 concerns a good case scenario is the Lamu coal power plant where the NEMA has cancelled the EIA license for building the coal power plant and suspended operations altogether.

Economic: The existence of CJGEA as an organization led to awareness on lead poisoning in Owino Uhuru community where the industry was poisoning the residents with the heavy metal. The existence of the industry thus gave an opportunity to the rise of CJGEA which now advocates for environmental rights. Social/cultural: Religious leaders support CSO work as they defend people’s rights something that the church leaders identify with.

Conclusion of security analysis The main take-away is that we do not operate in a vacuum, and that we don’t have control over the (entire) environment. We need to develop a plan to mitigate some of the challenges we might be facing.

SECURITY INCIDENTS A security incident is defined as any fact or event which you think could affect your personal or organizational security.

Importance of security incidents Feedback - Vital information about the impact of your work Warning -possible action which may be planned or carried out against you ! It is important to become aware of the security incidents so that appropriate measures can be taken.

Dealing with security incidents 1. Register them: there must be a register of security incidents that goes beyond just a superficial recounting of the experience. a. Security should be a shared responsibility, not just for the Executive Director for example. b. All threats are security incidents, but not all security incidents are threats 2. Analyse them 3. React to them

RISK ASSESSMENT A risk assessment is the combined effort of identifying and Analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. risk analysis); and making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors (i.e. risk evaluation). A risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events

Creating scenarios on risk assessment exercise In two groups, we filled the risk assessment template below with the following scenarios and thereafter brainstormed and discussed each scenario with regards to the risk assessment template. Scenario 1: What kind of security incidents do you think will occur in our work? Scenario 2: What will make it more likely that the organization or a member of CJGEA will suffer an attack? Or experience hostility? Scenario 3: What are the strengths and resources a group or a HRD can access to improve their security and/or survive an attack?

Risk assessment template

Some of the results from the exercise 1. Risk in Kilifi: Breaking into office a. Probability: moderate b. Severity: major c. Who may be harmed and how? The staff if present; the organisation in general as it will lose the data we have, which may affect the running of the programs. d. What action are we going to take? Increase security, e.g. by security guard, install alarm system, if possible an electric fence e. Is it enough? What else can we do? We can periodically review on security systems in place, we can also come up with a comprehensive security plan 2. Risk in Lamu: prone zone for terrorist attacks, we might get in line of attack during fieldwork a. Probability: moderate b. Severity: catastrophic, risk of losing life

c. Who may be harmed and how? Staff and community we are working with; physical harm, losing raw data d. What action are we going to take? Should be accompanied by security personnel; we can assess current security status before we go e. Is it enough? What else can we do? We can continue working on relationships with local organisations (e.g. save Lamu), so that we can conduct our research through them. 3. Risk in Nairobi county: sabotage in terms of providing vital information a. Probability: moderate b. Severity: major c. Who may be harmed and how? The organisation, in that we cannot access important information. We will fail to meet our objective d. What action are we going to take? We can seek prior permission; we can rely on other legal and institutional measures (such as ombudsman); e. Is it enough? What else can we do? prior sensitisation; we can use media for accountability 4. Risk in Kisii County: Threat of eucalyptus trees being cut. Community might be hostile towards the centre because of endangering of investments a. Probability: moderate b. Severity: major c. Who may be harmed? EHRDs on the ground. The community, if this continues and drought results d. What action are we going to take? Alternative measures, different tree species they can plant for water retention; we can work closely with key community leaders for smooth entrance into community e. Is it enough? What else can we do? 5. Risk in Turkana county: unfavourable weather condition (too dry); on top of that poor transport and communication infrastructure; different cultural reality on the ground a. Probability: moderate b. Severity: major c. Who may be harmed? EHRDs; our data d. What action are we going to take? Access community to learn their culture; mobilise more funds

TYPES OF THREATS Threat is a potential act that may result in harm or injury, or loss of or damage to agency, property or programme The following are types of threats  Probable (indirect threat): when a defender close to your work is threatened and there is reason to believe you might be next  Declared threat (direct): a declaration or indication of an intention to inflict damage, punish or hurt, usually in order to achieve something

Threats always have:  A source  An objective (linked to impact)  Means of expression Assessing threats 1. Establish the facts surrounding the threat(s) 2. Establish whether there is a pattern of threats over time 3. Establish the objective of the threat 4. Establish who is making the threat 5. Make a responsible conclusion about whether or not the threat can be put into action Important to note  While the security of those we protect depends on our safety, it is important to train them on how to protect themselves too.  If there is no security for HRDs to undertake their legitimate work then there will be no effective protection for the rights of anyone.

AGGRESSION An aggression is the culmination of conflicts, disputes, threats, security incidents and mistakes which can be traced over time. Aggression is product of 3 interacting factors including suitable setting, background and triggers, and party that takes violent action

Preventing and Reacting to Aggressions There are several ways of dealing with aggression a. Confront the aggressor b. Explain to the aggressor the political cost of his action c. Seek effective protection – Armed protection, Community protection. d. Limit exposure closer to zero

OTHER COPING STRATEGIES 1. Reinforcing protective barriers e.g.: if we suspect an office/house or meeting venue will be attacked, we can either increase number of security guards as well as hiding valuables - e.g. information, documents etc. 2. Avoiding behaviour which could be questioned e.g.; curfew situation. 3. Looking for appropriate protection from one of the actors. 4. Suspending activities, closing down the office, evacuating. 5. Forced migration (internal displacement or as refugees) or going into exile. 6. Relying on “good luck” or resorting to “magic” beliefs. 7. Becoming more secretive, including with colleagues; going into denial by refusing to discuss threats; excessive drinking, overwork, erratic behaviour

Coping in a physical sense One can cope in a physical way through deterrence, delaying, detection, and incidental assessment and response procedures.

Summary on aggression  Aggression is the culmination of a process which definitely includes security incidents, maybe threats.  Aggression is not an “unexpected” event.  It is not easy to aggress popular HRDs as they are public figures and enjoy some kind of support and protection from the public  An aggression requires adequate resources and capacities, access to the individual, a quick escape and a certain level of impunity or the decision by the aggressor that is worth the political cost.

SECURITY PLAN A security plan is very vital for every organization and the following template and points could guide CJGEA in coming up with a comprehensive security plan in future. Once risk assessment have been completed, it is possible to plan security policies and controls to minimize the realization of risks.

Components of a security plan.  Reducing the level of threat  Reducing vulnerabilities;  Improving capacities.

Security template

Communicating risks The figure below best illustrates how one can communicate risks

CONCLUSION The training came to an end at around 2:10p.m where everyone was given a chance to give their feedback on the training. Each participant gave their reviews on how they felt about the training and how whatever they learnt from the teachings would impact their physical security. These reviews from the participants have been documented in the internal monitoring and evaluation report which was conducted immediately after the training at CJGEA offices. Tom, the programs officer gave the vote of thanks and encouraged all the participants to put into action whatever knowledge they managed to grasp from the training to help improve their security situation and that of the organization in general. The trainer gave a parting shot that our physical security should be our main concern as an organization and hence we should at all times ensure that we carry ourselves with caution to shield unnecessary physical security threats from reaching us. This he noted would go a long way in ensuring that the organization and all its personnel are protected from the physical security threats and even if by chance any threats would get to us, we would be ready to tackle them accordingly without plunging into panic mode.

Pictures of the training