Infosec practitioners cannot operate in a bubble. Often, we are called upon to explain our craft, to the shop floor through to the C-suite. Infosec awareness messages must, therefore, be adapted to fit the understanding of a wide cross-section of people. However, ours can seem a dry subject to non-practitioners, and most of us are not gifted with the art of entertaining. Sometimes holding an audience’s attention can be done through ‘story-telling’ and an ability to simplify complex Infosec issues by relating them to the experiences of our audience.

Tell it like a story

Where an audience is unfamiliar with Infosec, it is necessary to describe Infosec problems by referencing non-Infosec issues that are more familiar to them.

One of the best tools for simplifying is the ability to pull down examples from the non-Infosec world to explain an Infosec idea, in a way that makes problems and their solutions understood by as many as possible. For instance, senior managers may understand Infosec in the context of managing their business and financial risks. Untrained people may better understand two-factor authentication regarding having more than one lock on their front door. Elements of this method include analogy, i.e. comparing the Infosec point to a more widely-known thing, to explain and/or clarify the Infosec point; allusion, i.e. a short analogy, usually based on a single phrase or idea; and sayings i.e. familiar phrases that can help an audience grasp a complex point, (because they can quickly relate a short ‘wise’ phrase being used to the Infosec point being made).

Like a Rolling Stone [1]

The UK-based Analogies Project [2] (its strapline: ‘finding the hidden story in Infosec’) is a great resource of helpful everyday parallels that match Infosec points you may want to put across. Their site (theanalogiesproject.org) is well worth a visit. The very existence of such a specialized site is an indicator of the difficulties of effective Infosec teaching. Perhaps the biggest reason for this is that IT technology developments (and thus the security that follows in its wake) are a very fast-moving vessel
[3].

Do adapt analogies, allusions, and sayings to help you explain things. When used well, they are effective shortcuts to understanding, and often help to introduce humor in a serious subject. The purpose of this piece is to set out some cautionary guidelines, to make quite sure that the choices you make enlighten an audience, without further obscuring your meaning.

Is your comparison clear?

I have a confession: I have been guilty of using allusions and analogies that were not efficient, because a significant percentage of listeners and readers did not quickly understand them, or had to ask what I meant. This is a major fail: Infosec can be difficult enough to grasp without adding another layer of complexity. Unless the analogy, allusion or saying is going to be understood by most listeners/readers, it is best not used. This can be a judgment call, but consider the ages, experience and cultural background of your intended audience.

Overstating the case

Sometimes a clumsy analogy can leave an audience unconvinced and perhaps, miss the valid point you want to make. Take for example the analogy of motor vehicles. It is a promising stream from the everyday world that does seem to parallel certain parts of Infosec, i.e. most people have a car, even though they might not know exactly how it works and might need specialist knowledge to fix it. There is even a promising analogy for the need for Infosec awareness since autos go wrong and, of course, can cause damage and accidents when not handled properly. Also, manufacturers design cars to be safe, but they cannot control the actions of every driver.

Even so, riffing on the seam of analogies from the world of autos can get strained. Consider for instance how car-drivers (unless intoxicated) can see how they are driving, while use of a computer involves risks that are not immediately apparent (e.g. surfing unsafe websites, opening infected messages). Further, most of us cannot trace a direct and personal injury down to a computer, so the motor vehicle analogy can fall flat (unless we move into the domain of the loss of life-supporting services, which opens up the risk of overstatement).

When we turn to personal health, the analogies start out quite promising: computer viruses get their name from biological consequences, and we can also talk about computer health and hygiene. However, the requirement for IT hygiene is more urgent, since the consequences of poor Infosec hygiene may be more immediate.

Old onions

Comparisons change. Let’s consider the meaning ‘defense in depth’. Around twenty years ago, the phrase was closely associated with graphical representations of security ‘onion rings’, each labeled with a countermeasure (e.g. personnel, physical security, etc.) that would when placed together, slow down and hopefully stop attempts to breach security (see example below).


To turn to an analogy from ballistics, such a presentation suggests how materials of different strengths, when placed back to back, can slow down (and ultimately stop) a bullet. More recently, this idea (which I think older Infosec practitioners still find difficult to let go) has become obsolete with the ability of remote attackers to deploy increasingly effective tools to get access to IT systems, via direct or indirect routes. So the concept of having security walls that are bullet-proof has been overtaken by the acknowledgment that just about any IT system can be breached. More recent security frameworks (e.g. the NIST Cybersecurity Framework) put emphasis upon detection, correction, response and, ultimately, the recovery of services. This undermines the onion concept, with its walled layers preventing valuable data from being stolen. The newer security models emphasize speed of recovery over defense, based upon the ability to replicate data and data services. The onion analogy is due an update!

Older furniture

Some years ago, I could engage an audience of office workers with an eye-popping visual demonstrating how many filing cabinets would be needed to hold the same amount of data that could be put on, say, one floppy disk. Such cabinets (and those disks) were a natural part of any office then. Nowadays, they are much rarer. This formerly powerful analogy would be lost on an audience of millennials.

Understanding non-Infosec analogies

It can be tricky when seeking analogies from non-Infosec professionals who need Infosec education and awareness training. You may understand Infosec principles well, but only have a cursory understanding of the skills of the specialists from whom you are drawing the analogy. For instance: C-suite executives may have different ways of describing risk assessments that are not specific to Infosec, while skilled practitioners of non-Infosec activities may strain to appreciate your imperfect grasp of their craft (and may not be slow to point this out!) In such cases, an incomplete knowledge of the audience’s skills (and of their cultural experience) may be counterproductive.

Conclusion

Using a range of non-Infosec allusions can be a highly effective way of getting security understanding over to a non-security audience. It is worth creating your own ‘tool chest’ of practical anecdotes and experience, which can be drawn upon to meet their needs.

However, audiences differ in their experiences, and a good or bad presentation can depend upon capturing its interest. If the comparisons you chose are not understood, this can obscure the message (or, in the worst case, become a source of humor!). To lessen this risk to an otherwise good security presentation, analogies, allusions, and sayings should be chosen carefully, checked for their appropriateness (and for their shelf-life).

___

[1] Here, I am using a saying, that is possibly based on an allusion!

[2] theanalogiesproject.org

[3] Another allusion (i.e. it is short)