What we have here is a failure to communicate.
Security training and awareness campaigns too often fail to change user behavior in any meaningful way, putting both the user and the organization at risk. The solution, experts say, is better security analogies.
Information security is an abstract and unintuitive discipline that frustrates and baffles non-technical humans. Attempts to train lay audiences in security best practices commonly involve security analogies that either do not engage and motivate, or that users take too literally.
"The assumption we make is that if we give people information, if we educate people on their roles and responsibilities, people will process that information in a logical way," says Bruce Hallas, the founder of the Analogies Project, which collects useful security analogies. "This isn't the case....in the heat of the moment, in a situation they are not familiar with, they will make an irrational choice even though they know they should be complying [with policies and procedures]."
Red teamers know that hacking the human is the easy way in, and a targeted, well-crafted spear phishing campaign is almost guaranteed to succeed. Security trainers on blue team duty need to play the same game in reverse, experts suggest, and use targeted, well-crafted security analogies to build those internal mental defenses. That way strong security habits will kick in when users are under pressure.
Better security analogies can improve training outcomes
The worse the security news, the more infosec pros tear their hair out, the more the muggles yawn and wonder what the fuss is all about. This failure to communicate results in bad outcomes for the enterprise, for society, for politics, for everyone. The stakes are high, and the solution, John Pollock says, almost certainly lies in better analogies.
"Analogies matter," he says. "The analogies we use have a big impact on outcomes, both positive and negative." Pollack, a former presidential speechwriter for Bill Clinton, is the author of Shortcut: How Analogies Reveal Connections, Spark Innovation, and Sell our Greatest Ideas.
The communications barrier security professionals face is not unique, even in recent history, he says, and we can learn a lot from how Steve Jobs used analogies. "Before Jobs introduced the Mac in 1984, computers were alien and inaccessible to the vast majority of people," he points out. "Steve Jobs used the analogy of the desktop, and friendly digital icons of tools that people already knew how to use — documents, folders, scissors, trash cans, and so forth....and that interface suddenly enabled millions of people to use computers."
Jobs didn't invent the analogy, of course. Xerox PARC did, but Jobs recognized the potential of the analogy and used it to design the first commercially successful personal computer with a desktop interface: the Apple Macintosh.
"If you look at all the major breakthroughs in history," Pollack says, "the guiding light is analogy. My guess is that this will prove to be true in the realm of cybersecurity."
Hallas thinks so too, and says that targeting security analogies to your audience is key.
Target security analogies to your audience
The librarians weren't getting it, Hallas says. Why should we care about backups? What's the big deal? Why all the fuss? That's when, he says, the security trainer pulled out the big guns: an analogy that would get their attention, was targeted to the audience, and motivated the audience to care.
The Library of Alexandria, the trainer said, was one of the great wonders of the ancient world, and all was lost because the library didn't have backups. Jaws dropped open. The librarians got it. That's the power of analogy, Hallas says.
Every audience is different, though, he says, and instead of fretting over finding the perfect analogy for everyone, it's far more useful to try different analogies until you find the ones that click with your audience. "I think sometimes when we look at analogies and metaphors, we are looking for something that is completely accurate," he says, "when sometimes what we really want is to open the door."
However, once that door is open, Pollack warns, it's important to emphasize the shortcomings of any given analogy to prevent that analogy from being taken too literally, which can result in even worse outcomes.
Use more than one security analogy, and emphasize their limitations
No analogy is perfect, and taking any analogy or metaphor too literally will turn out badly. Pollack cites the example of the "three strikes and you're out" mandatory sentencing guidelines common in the U.S. criminal justice system, which puts many non-violent offenders behind bars for life.
"People were seduced by a bad analogy," Pollack says. "It was very appealing. After all, baseball is a fair game, everyone plays by the same rules, everyone's errors are accounted for."
As a result, the U.S. now has the largest prison population in the world. "And so we have to revisit the analogy," Pollack argues. "Why should the game of baseball be the model for sentencing policy? The outcomes of games don't depend on a player's ability to hire a good lawyer. And in baseball, isn't stealing admired and rewarded?"
Analogies are meant to enlighten, he says, but should not be taken as gospel. That's why training audiences to think critically about analogies is as important as finding the right security analogies for that audience. One way to do that is to use multiple security analogies at the same time.
Hallas's Analogies Project is doing that just by collecting analogies, metaphors and stories that help enlighten non-technical audiences about information security. "One of the things about the Analogy Project is to get as many people as possible finding security stories in everyday life around them," he says. "Is [a given analogy] an accurate reflection of information security? Does it matter? Now you've got their attention. That's a real problem we face, just getting attention."
Is your security framework like a smooth saloon car or a 4x4? Is a data breach like "Waiting for Godot?" Are hackers like vampires? These are just some of the many examples Hallas has collected as part of the Analogies Project. One of his favorites, he says, is the analogy of Swiss banking, which speaks to the importance of ensuring confidentiality of data.
A client once asked him, he says, "Can you give me any evidence where confidentiality has led to prosperity?" In response, Hallas gave the example of Switzerland's strict banking privacy laws.
"The importance of confidentiality to individuals, businesses and even nation states has been recognised and capitalised upon by Switzerland and its banking sector," Hallas writes. "This happened long before the internet came into existence and cyber security become recognised as an issue."
Whatever analogies you use, if it prompts your audience think more critically about information security, then it can only help, Hallas says.
Pollack agrees. "Try multiple analogies to get different points of view on the same problem," he says. Also ask, "What about the analogy isn't true? What are its relative strengths and weaknesses? No analogy is going to be a perfect fit."
A widespread lack of communications skills among security professionals hamstrings this strategy, however.
Security trainers, more empathy, please!
Security professionals tend to come from strong technical backgrounds, with less experience in people management and other "soft skills." However, since security training has the potential to increase an organization's security posture significantly, Hallas wonders aloud if the way we educate and certify security professionals may be flawed.
"I think it's quite interesting what Facebook's CSO [Alex Stamos] said at Black Hat last year," Hallas says. "He highlighted the need to be more empathetic as an industry with our target audience. We need to have more empathy to ensure that we engage more effectively with our audience. That was quite telling."