Appendix: Survey Methodology

Survey: Exploring Cybersecurity Needs and Tools for Human Rights Organizations

For the purpose of this survey, “cybersecurity” refers to the practices and tools your organization uses to keep its digital systems, data, and communications safe from hacking, surveillance, or other online threats. This includes things like:

• Using secure messaging apps (e.g., Signal, WhatsApp)
• Protecting devices with antivirus or encryption
• Managing strong passwords and two-factor authentication
• Training staff on how to avoid phishing attacks
• Backing up important data securely

For this survey, “cyber incident” means any event that threatens your organization’s digital security, such as the confidentiality, integrity, or availability of digital information or information systems. This includes both successful and unsuccessful cyberattacks, as well as security breaches that may not involve a direct attack. A “cyberattack” refers more specifically to deliberate, malicious actions that cause harm to a system, including unauthorized access, data theft, disruption of services, or damage to systems.

Section 1: About Your Organization

Tell us a bit about your organization as it helps us understand the diversity of experiences represented in the survey.

1. What is your primary role within the organization? (Fill in the blank.)

2. Which region(s) does your organization primarily operate in? (Select all that apply.)

• Africa
• Asia-Pacific
• Latin America
• Middle East and North Africa
• Europe
• North America
• Other:

3. Who do you consider your organization’s most significant cybersecurity threat actor? (Mark only one.)

• Government actors
• Cybercriminals
• Political or ideological groups
• Private companies
• Other:

Section 2: Current Cybersecurity Capacity

These questions explore how your organization currently approaches cybersecurity, which includes your technical capacity, internal support, and training.

4. How would you rate your organization’s technical capacity in cybersecurity? (Mark only one.)

• High (Dedicated technical staff and proactively manage cybersecurity)
• Moderate (Some technical knowledge and can handle basic cybersecurity needs)
• Low (Rely heavily on external support or struggle to manage cybersecurity internally)
• Very low (Minimal technical capacity and are vulnerable to threats)

5. Has your organization experienced a cyber incident (examples include phishing attacks, malware infections, ransomware attacks, data breaches, and insider threats) in the past 3 months? (Mark only one.)

• Yes
• No
• Not sure

6. Has your organization experienced a cyberattack (i.e., deliberate, malicious actions such as phishing, malware, and denial-of-service attacks) in the past 3 months? (Mark only one.)

• Yes
• No
• Not sure

7. How often do you participate in cybersecurity-related workshops or training sessions? (Mark only one.)

• At least once a month
• A few times a year
• Once a year or less
• Never

8. What would happen if you or your team no longer had access to training from external cybersecurity experts? (Mark only one.)

• We would fall behind in security best practices
• We would be more vulnerable to threats
• We wouldn’t know how to choose or use new tools
• It wouldn’t affect us much as we are fully self-sufficient
• Other:

9. What additional support would help you feel more secure in protecting your organization? (Select the top three that apply.)

• More training on using cybersecurity tools
• User-friendly tools
• Multilingual support for tools and documentation
• Direct access to technical experts for assistance
• More financial support for cybersecurity tools
• Access to peer networks for knowledge sharing
• Other:

Section 3: Tools and Discovery

This section focuses on how your organization finds, evaluates, and adopts cybersecurity tools to protect your work and the people you serve.

10. How strongly do the following factors motivate you to look for new cybersecurity tools? (Rate each on a scale from 1 (not at all motivating) to 5 (extremely motivating). Check all that apply.)

• A recent threat or security incident
• Launching a new project or campaign
• Participation in a training session or workshop
• Recommendation from a peer or partner organization
• Requirements from donors or funders
• Discovery of new tools through media or online platforms
• Change in staff or technical capacity
• Desire to improve or upgrade current security practices

11. How important is each of the following categories when evaluating a new cybersecurity tool? (Rate each on a scale from 1 (least important) to 5 (most important). Check all that apply.)

• Usability
• Cost (free vs. paid)
• Trustworthiness/source of the tool
• Peer reviews or testimonials
• Language/localization
• Technical support availability
• Open source vs. proprietary
• Compatibility with existing systems
• Security features (e.g., encryption, multi-factor authentication)

12. How important are the following sources in helping you discover new cybersecurity tools? (Rate each on a scale from 1 (least important) to 5 (most important). Check all that apply.)

• Social media
• Online searches
• Recommendations from peers/partners
• Attending trainings/workshops
• Community forums/listservs (e.g., Association for Progressive Communications, Access Now)
• Newsletters or blogs

13. How do you determine whether a cybersecurity tool is trustworthy before using it? (Select the top two that apply.)

• It is recommended by a trusted peer, partner, or trainer
• It is open source, and the code is available for review
• It has been reviewed or endorsed by a reputable nongovernmental organization or digital rights group
• It has a clear and transparent privacy policy
• It is developed or supported by a nonprofit or academic institution
• Other:

14. Who is involved in the decision-making process when choosing a cybersecurity tool? (Mark only one.)

• Individual decision
• IT team
• Leadership
• External consultant
• Donor recommendation
• Other:

15. What challenges have you faced while implementing cybersecurity tools on your own or [for your] organization? (Select the top two that apply.)

• Lack of technical expertise
• High cost of tools
• Limited access to tools in my language
• Tools are difficult to configure or use
• Lack of training resources
• Other:

16. How confident are you in your ability to assess the security and trustworthiness of a cybersecurity tool before using it? (Mark only one.)

• Very confident: I can evaluate tools independently and understand what to look for
• Somewhat confident: I can make basic judgments but often rely on others
• Not very confident: I usually depend on recommendations from trusted sources
• Not confident at all: I don’t know how to assess whether a tool is secure or trustworthy

17. How significant are the following challenges your organization has faced when implementing cybersecurity tools? (Rate each on a scale from 1 (not a challenge) to 5 (major challenge). Check all that apply.)

• Lack of technical expertise
• High cost of tools
• Limited access to tools in my language
• Tools are difficult to configure or use
• Limited or no support from tool providers
• Fear of retaliation or surveillance
• Lack of training resources

Section 4: Third-Party Support Models

We’d like your thoughts on the idea of outside organizations helping manage or support your cybersecurity needs, such as trusted nonprofits or technical service providers.

18. Would your organization be open to having a third-party service provider manage your cybersecurity operations (e.g., securing websites, monitoring for threats, managing encryption)? (Mark only one.)

• Yes, we would prefer to outsource cybersecurity management to experts
• No, we prefer to manage our cybersecurity internally

19. How important are the following criteria when evaluating whether to trust and work with a third party to manage your organization’s cybersecurity operations? (Rate each on a scale from 1 (least important) to 5 (most important). Check all that apply.)

• The provider is a nonprofit organization
• The provider has experience working with human rights organizations
• They offer transparent practices and clear accountability
• They do not share data with governments or commercial entities
• They provide services in our local language or region
• They offer free or subsidized support for under-resourced groups
• They allow us to retain control over critical decisions
• They have strong data protection and confidentiality policies
• Recommendations from trusted peers or partners

20. What specific types of cybersecurity support would your organization be most willing to outsource to a trusted third party? (Select the top three that apply.)

• Threat detection and monitoring
• Incident response and recovery
• Tool selection and implementation
• Staff training and awareness
• Secure website or server hosting
• Ongoing system updates and patching
• Risk assessments or audits
• Other:

Section 5: Recommendations and Incident Reporting

This section asks about your interest in receiving tailored cybersecurity recommendations and whether your organization would use a centralized, secure reporting system for digital threats.

21. If there were a secure third-party system to report cyberattacks or threats, would your organization use it? (Mark only one.)

• Yes
• No, we prefer to handle incidents internally

22. How important are the following features to your organization when considering actionable cybersecurity recommendations specifically for nonprofits and human rights organizations? (Rate each on a scale from 1 (least important) to 5 (most important). Check all that apply.)

• Clear, step-by-step guides written in nontechnical language
• Recommendations that are tailored to small or under-resourced teams
• Tools and practices that are free or low-cost
• Guidance on how to prioritize which tools to implement first
• Multilingual materials or region-specific guidance
• Real-world examples or case studies of similar organizations
• Options for direct support or consultation
• Updates when new threats or urgent issues arise
• Printable checklists or quick-reference materials

23. What would make you trust and use a centralized reporting and advocacy system for cyber incidents? (Select the top three that apply.)

• It is run by a nonprofit or civil society–⁠led body
• It provides rapid, expert technical response
• It guarantees confidentiality and protection from reprisal
• It is globally recognized and endorsed by trusted networks
• It includes advocacy or legal follow-up beyond technical support
• It publishes regular reports on trends and threats

24. If a trusted international system for cyber incident reporting existed, how likely would your organization be to use it? (Mark only one.)

• Yes
• No, we prefer to handle incidents internally

Section 6: Final Reflections

A few closing questions, including the option to participate in a follow-up interview or be featured in the final research.

25. Would you like to remain anonymous? (Mark only one.)

• Yes
• No

26. Would you be open to being contacted for a follow-up discussion or interview? (Mark only one.)

• Yes
• No

27. If you are open for a follow-up discussion, please provide your contact.

28. Comments or additional insights you’d like to share?