Do we need a new language to describe cybersecurity?
The English language has changed in recent years to be more inclusive of a variety of groups. Some say those changes reflect our increasingly diverse society; others say the words we use help to create that diversity.
Language matters, we now know. The words we use not only reflect our perceptions of the world, but may shape it, as well: How we say something can be as important as what we say.
Aboriginal Australians, for instance, use directional terms such as “north” and “southeast” instead of “left” and “right.” They are said to have a sense of direction as good as any compass. Equatorial people whose language offers no distinction between “blue” and “green” have been found to see no difference between the two colors. And so on.
“Language uses us as much as we use language,” feminist scholar Robin Lakoff wrote in her 1973 essay, “Language and Woman’s Place.” Is this true in cybersecurity, as well? Perhaps we ought to examine the terminology our profession uses, and ask whether it helps us to achieve our goals.
“Zero-day attack.” “Kill chain.” “Black hat.” “Advanced persistent threat.” These and other cybersecurity terms, with their connotations of armed conflict, can make the digital world feel like a scary place, even for those in the profession.
Exclusion vs. inclusion
Journalist Elizabeth Segren blames cybersecurity’s “adversarial language of attack and combat” at least in part for the paucity of female cybersecurity professionals — fewer than 10 percent of college graduates in the field are female, she writes.
And if cybersecurity’s military-style language alienates women in the profession, isn’t it likely that “civilians” — everyday users of digital devices — feel the same effect? If so, that’s a problem. Because for cybersecurity to work, we need users to feel engaged, not estranged.
The language of battle is, by design, powerful, aggressive and intended to instill fear in the enemy — which it doesn’t seem to do. Cyber criminals seem undeterred by talk of “brute force attacks,” “firewalls” and “insider threats.”
Computer owners are often the ones feeling intimidated — in part, perhaps, because of the language we use. Losing one’s “identity” can sound a lot like annihilation, one of our most basic, instinctual fears.
None of the biological responses to fear — “fight,” “flight,” or “freeze” — necessarily helps us to take rational, informed security measures such as opening email attachments with care, or declining to do our banking on a public Wi-Fi server.
At least one study reports that fear and the stress it brings can cause a person to reject a threat altogether, or to deny that it exists. Is this what we want?
All for one, and one for all
For truly effective cybersecurity, we need people to engage, not disengage—to take an active role in protecting the security and privacy of not only their own devices and data but also of every site they log onto, every contact in their social media accounts, and every person on their contact lists. To this end, those in the cybersecurity profession might consider developing a new, inclusive, “all for one, and one for all” language, one emphasizing personal responsibility and a sense of community.
Cybercriminals seem to have figured this out. A hackers’ glossary reveals a playfulness with language that inspires the creation of new words and terms exclusive to the group, the verbal equivalent of the “secret handshake” at the clubhouse. “Rain dance,” “rubber ducky,” even “angry fruit salad” and “spinning pizza of death”: Compare these hacker phrases with such cybersecurity terms such as “adversary,” “attack” and “advanced persistent threat.”
How did cybersecurity acquire its militaristic lingo? The earliest computer networks were developed to warn the government in case of impending nuclear attack, scholar Tung-Hui Hu points out in his book, “A Prehistory of the Cloud.” In those days, using the language of war must have seemed natural.
Today, though, the Internet serves many functions, many of them business-oriented or personal. Our security concerns are more widespread, as well. Effective information security relies on the vigilance and cooperation of all Internet users, and may, in turn, call for a new, inclusive language, one emphasizing cooperation over conflict, flexibility over firewalls, and creativity over rigidity. In short, we need to speak in human terms, not military ones, using what may be the most effective persuasion technique available: storytelling.
Wired for story
Our brains thrive on stories, for reasons as much to do with survival as entertainment, writes Lisa Cron, author of the book “Wired for Story.” Stories help us not only to avoid past mistakes — ours and others’ — which certainly helped us to evolve, but they also can motivate us to behave in certain ways.
“Story or narrative takes those big ideas, abstract concepts, dry facts and translates them into something very specific that we can experience … and that’s what … moves us to action,” Cron said in an interview with a New York state public radio station.
Many people do not take proper cybersecurity precautions such as using strong passwords even though they know that they are supposed to, researchers have found. In other words, cybersecurity’s “FUD” approach — trying to motivate change by sowing fear, uncertainty, and doubt — doesn’t work with consumers.
A new approach
So what can we do to change the language of cybersecurity? One idea: Replace the plodding FUD with the shining STAR model — situation, task, action and results. Instead of sparking fear with talk of “kill chains” and “weaponized content,” this type of storytelling model can provide a framework for new ways of engaging with, and inspiring, secure online behaviors.
We can persuade people to eschew risky behaviors by telling stories that people can relate to. Instead of scaring them to inaction using doomsday terminology and attack scenarios, why not motivate them to action with good, old-fashioned, empowering stories told in language they can relate to?
JR Reagan is the global chief information security officer of Deloitte. He also serves as professional faculty at Johns Hopkins, Cornell and Columbia universities. Follow him @IdeaXplorer. Read more from JR Reagan.