[pratheekrebala]

I see your point, however, having worked in newsrooms - it really is about their beat and their threat-model. My organization covers a wide range of beats and folks covering national security or other sensitive topics have an entirely different workflow compared to those covering, e.g. housing.

I think being responsive to their needs and building trust will go much further. Also, designing a one-size fits all model will just mean that your reporters will either ignore the guidance or find a way to work around it.

For instance, the most recent credible threat we have had against one of our reporters wasn't a state-level actor, but rather folks on the internet (trivially) finding their address and doxing/harassing them and their family. No amount of technology hygiene will change the fact that voter registrations are public records.

[wolverine876]

If someone gets access to the housing reporter's systems, that seems a great way to move horizontally or vertically to get access to the other reporter or to the entire organization.

I don't envy your challenge. Security must make it more expensive to the attacker than it's worth. Even the housing reporter's data could be highly valuable; with inside knowledge, someone could make a killing on real estate. The value of the national security beat information is astronomical.

I don't grasp why, with all the news about breaches, reporters still don't care.

[3pt14159]

Well, she wrote about scary stuff. Murderers, etc. Feature stories for one of the few fact checked Canadian magazines left. Some stuff in The Atlantic about politics.

Was she getting leaks from NSA staffers? No. But it does feel kinda silly to me that journalists, generally speaking, have insecure setups by default. But I get it, it's a hard industry to squeeze a living out of these days.

[atatatat]

Not giving the voting record your address of residence sounds like a low tech solution.