Skip to content ↓ | Skip to navigation ↓

An axiom long applied to security people are that they are typically engineering oriented and suffer a bit in the communication department. There’s an implied link that security might get broader adoption and be healthier if security communication had more resonance with non-security people.  Enter the popular use of the metaphor as meme.

Recently on Pauldotcom, Josh More offered an enticing prize – a ticket to the sold out DerbyCon for the best submitted security metaphors. As of this writing (Friday morning); winners haven’t been chosen, and the collection hasn’t been shared, although I know at least I’m eagerly awaiting them. The value of really strong metaphors that can be shared got me tuned in to paying attention to those I’ve seen in articles this week; and wanting to help open the question to a larger audience.

Per Wikipedia: Crowdsourcing is a distributed problem-solving and production model. In the classic use of the term, problems are broadcast to an unknown group of solvers in the form of an open call for solutions. Users—also known as the crowd—submit solutions. It would be awesome to increase the body of metaphors available for security conversations; so please feel free to submit them to Josh More, or here. We all benefit from this kind of shared knowledge.

To start your metaphorical juices flowing, here are some common metaphors I hear regularly:

  • The important data for your company is the Crown Jewels.
  • The process of performing a data breach is like getting physical access to a secured facility. Casing the perimeter, identifying the number of guards and what options they have (which will include firewalls, any external facing computer, etc.); and then making a plan to test behavior patterns (throwing a rock to see the guard response equates to throwing malformed packets at the firewall). Etc.

Some that I have in my repertoire:

  • Anti-virus is like getting vaccines; it’s specific, and time based; you can still get ill for things that aren’t in this particular vaccine.
  • Heuristics is like taking an anti-biotic; for some things it’s highly effective, but it’s not targeted to a specific thing and can still miss making you better.
  • For explaining what it takes to play in the SCAP 1.2 world: This is just like building a brand new smart phone. You  need a physical device or platform (the SCAP processing engine); the apps that allow you to do different types of things like patch or vulnerability work (content) and an application store (content repository) to get the apps from which will shape the user perception of the overall process.

Example in public media (CSO Online) this week:

  • “But I think there is a difference between acknowledging that cyber is a weapon in the arsenal in wartime and acknowledging covert actions like Stuxnet,” he said. “In some ways, it’s the difference between acknowledging that we use high-caliber munitions in battle, and acknowledging we have a covert assassination program.”
  • “Putting a virus into the enemy systems can be like putting sugar in the gas tank of the trucks in a convoy, or decrypting coded communications,” Zwillinger said. “This is just a more modern version of the same thing.

With that, go forth and let your metaphors multiply, here, in Twitter (@sturnerrice) or over at Pauldotcom!