News organizations have grown increasingly reliant on large file transfer systems for time-sensitive media operations, regularly managing multi-gigabyte video content through enterprise platforms like MediaShuttle, Aspera, and Microsoft FTP Server while working against tight editorial deadlines. This digital shift in journalism workflows appears to have left media infrastructures vulnerable to sophisticated cyber attacks. Threat actors seem particularly drawn to exploiting file transfer weaknesses as a pathway to sensitive content and newsroom disruption, which became starkly evident during the 2023 MOVEit breach that impacted the BBC. Yet current threat modeling frameworks, built primarily for general enterprise settings, may not adequately capture the distinct operational pressures and security needs that define newsroom file transfer environments. This study is the first to apply the STRIDE threat modeling framework to journalism file transfer systems. The new framework combines STRIDE with Zero Trust principles to address security risks in editorial workflows. Through validation across case studies involving three varied news organizations, the framework demonstrated what appears to be a 40% enhancement in threat identification capabilities and uncovered 23 previously overlooked vulnerabilities. This research offers systematic methods for securing file transfer operations without compromising editorial workflow efficiency. It provides theoretical groundwork for journalism cybersecurity research while delivering practical implementation guidance that media organizations can actually use.

Threat modeling, Cybersecurity, Journalism, File transfer security, Media operations

D. Harkin and M. Mann, "Electronic Surveillance and Australian Journalism," Digital Journalism, vol. 11, no. 3, pp. 45-62, 2023.

J. R. Henrichsen, "Security Champions and Journalism Culture," Tow Center/University of Pennsylvania, 2020.

J. R. Henrichsen, "Security Champions and Journalism Culture," Tow Center/University of Pennsylvania, 2021.

S. McGregor et al., "Investigating the Computer Security Practices and Needs of Journalists," in Proceedings of the 24th USENIX Security Symposium, Washington, DC: USENIX Association, pp. 399-414, 2015.

C. Wang et al., "End-to-End Secure File Sharing Architecture for Media Systems," IEEE Transactions on Multimedia, vol. 22, no. 4, pp. 1045-1058, 2020.

L. Zhang et al., "Content-Based File Transfer Authentication for Media Sharing," IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 3, pp. 2156-2169, 2023.

Y. Hu et al., "Security-Enhanced File Transfer via Cloud Gateways," MDPI Sensors, vol. 19, no. 12, pp. 2847-2862, 2019.

S. Das et al., "STRIDE-Based Cybersecurity Threat Modeling for Infotainment Systems," IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 2, pp. 445-458, 2024.

J. Jiang et al., "Model-Based Cybersecurity for Critical Infrastructure," IEEE Transactions on Systems, Man, and Cybernetics, vol. 53, no. 4, pp. 2234-2247, 2023.

D. Ugarte et al., "Automated Threat Modeling for Distributed Systems," IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 3, pp. 1876-1889, 2022.

R. Bohnert et al., "Affordable Data Diode to Protect Journalists," in Proceedings of the 32nd USENIX Security Symposium, Anaheim, CA: USENIX Association, pp. 1234-1248, 2023.

M. Betarte et al., "Security Analysis of Authentication and Authorization in Collaborative Journalism Platforms," Journal of Computer Security, vol. 28, no. 4, pp. 567-589, 2020.

K. Li et al., "Usable Security Model for ICS Authentication and Authorization," in Proceedings of EuroUSEC, Karlsruhe, Germany, pp. 89-103, 2023.

I. Zografopoulos et al., "Cyber-Physical Energy Systems Security," IEEE Access, vol. 9, pp. 87654-87669, 2021.

A. Kounoudes and G. M. Milis, "Security in Cloud-Based Broadcast Environments," IGI Global, 2021.

T. Eom et al., "Systematic Threat Modeling for SDN," IEEE Communications Magazine, vol. 57, no. 6, pp. 76-82, 2019.

L. Sion et al., "Solution-Aware DFDs and Risk-Based Security Design," in Proceedings of ACM SAC/IEEE Workshop, Pau, France, pp. 178-185, 2018.

A. Roy et al., "Media-Grade MFT Systems: Comparative Analysis," ACM Computing Surveys, vol. 55, no. 2, pp. 1-34, 2022.

J. Möller et al., "Security and Privacy in Cooperative Newsroom Work," in Proceedings of ACM CSCW, Portland, OR, pp. 2345-2358, 2017.

T. Lauber et al., "Digital Security Threats in Modern Journalism," Computers & Security, vol. 124, pp. 103-118, 2023.

B. Kodakandla, "Zero Trust Architecture Implementation in Media Organizations," Information Security Journal, vol. 33, no. 2, pp. 89-104, 2024.

R. Radu, "Role of Media in Digital Security Contexts," Springer, 2021.

J. Jang-Jaccard and S. Nepal, "Information Forensics and Security in Media," IEEE Multimedia, vol. 30, no. 2, pp. 45-58, 2023.

Arif et al., "Privacy-Enhancing and Trust-Centric Security in Cloud-Native Systems," MDPI Sensors, vol. 25, no. 1, pp. 234-251, 2025.

S. Syed et al., "Zero Trust Network Security Model for Enterprise Environments," Computer Networks, vol. 201, pp. 108563-108578, 2022.

Saleem et al., "Secure Multimedia Forensics Using Zero-Trust Model," Journal of Network and Computer Applications, vol. 201, pp. 103456-103471, 2023.

S. Rose et al., "Zero Trust Architecture," NIST Special Publication 800-207, National Institute of Standards and Technology, 2020.

Theodoropoulos et al., "Security in Cloud-Native Services: A Survey," MDPI Information, vol. 14, no. 8, pp. 445-462, 2023.

Y. Wang et al., "Systematic Literature Review of Cybersecurity in Broadcasting," IEEE Communications Surveys & Tutorials, vol. 24, no. 3, pp. 1567-1589, 2022.

OWASP Foundation, "Threat Modeling Process," OWASP, 2023.

F. Swiderski and W. Snyder, "Threat Modeling," Microsoft Press, 2004.