32 of the Best and Worst Infosec Analogies

1. “Networks are like candy bars: Hard and crunchy on the outside, but soft and gooey on the inside.”

“Many organizations still adopt a fortress mentality, where everyone on the outside is bad and stuff on the inside is less dangerous,” said Brian Krebs (@briankrebs), author of the Krebs on Security blog. “Years of experience has taught us that the biggest problems often stem from the fact that once something gets through the outer defenses, it’s often a cakewalk to move around the internal network unimpeded.”

“Also, ‘soft and gooey’ probably aptly characterizes the security savvy of the average user inside the network,” noted Krebs.

2. “Information Superhighway.”

Besides being overused, this metaphor is really dated and barely explains the nuances of the Internet.

When Krebs hears this not even Internet 101 explanation of online technology, “I immediately think of policy wonks in Washington who love to blather on about ‘cyber-this’ and ‘cyber-that’ but who clearly lack a real depth of understanding about the issues or any real experience in the ‘cyber’ trenches.”

3. “Snow shoveling.”

Every time Edward Haletky (@texiwill) of The Virtualization Practice shovels snow he envisions new ideas around infosec. It’s a great metaphor for security because all the aspects of shoveling snow can be linked to a security concern, said Haletky, “It covers data paths (the shoveled paths), moats (digging out), surround technologies (digging out again), and where you put data and log files (piles of snow everywhere).”

Jack Daniel (@jack_daniel), blogger at Uncommon Sense Security, chimes in as well of the snow shoveling metaphor.

“Prepare all you want, but you’ll still have to shovel your way out when it comes down,” warned Daniels.

4. “Policy.”

The term is used by all groups for anything and everything, complained Haletky, “There’s a policy for data protection, one for performance management, one for security, one for compliance. The word just does not mean anything because there is ‘policy’ for everything, but when security says it, they imply something more important.”

For infosec, Haletky suggest more telling words such as “control” and “procedures” instead of “policy.”

5. “Hamster wheel of pain.”

Authored by Andrew Jaquith (@arj), CTO of SilverSky, this is one of the most popular infosec metaphors.

“It describes the obligatory clockwise circular process of finding vulnerabilities, ranking them, fixing them and then moving on to the next source of pain, usually in a twitchy, frenzied way,” said Jaquith. “At the time I wrote about it, I was an analyst at Yankee Group, and it seemed like every vendor trotted out some sort of lather-rinse-repeat wheel of pain to justify their product’s existence. Unfortunately for customers, these kinds of diagrams implied they would be on the wheel forever… lather, rinse, repeat, but never get clean.”

In “Risk Management is Where the Confusion Is,” Jaquith said, “It captures the easy part of the risk management message (identification and fixing things) but misses the important ones (quantification and triage based on value)…Quantifying and valuing risk is much harder, because diagnostic tool results are devoid of organizational context.”

Security doesn’t often provide a clear feedback loop, said Marcus Ranum (@mjranum), CSO of Tenable Security, who sees this hamster wheel metaphor to be a self-inflicted problem.

“Security practitioners’ response is often ‘I don’t seem to be getting anywhere..? Maybe I need to run faster,’” said Ranum who notes that hamsters do it for fun and exercise. Why do we?

6. “XYZ is like the DNA in our product.”

Biology and evolution are very complex sciences and shouldn’t be used to simplify an explanation of security, said Ranum who said that when a vendor claims that “XYZ is like the DNA in our product,” he’ll respond by asking, “In your analogy what are the base pairs?”

Similarly, if a vendor tells you their product is on steroids, then it probably has acne and shrunken testicles.

7. “You can bake a cake without sugar and nobody will notice, until they actually try it. By then it’s too late.”

In another variation of “The cake is a lie,” Wendy Nather (@451wendy), Research Director, Enterprise Security Practice at 451 Research, notes that the best cakes/companies have sugar/security baked in.

“The typical reaction to missing security is to try to slap it on afterwards in the form of ‘icing’ (e.g., ‘Can’t we just put a firewall in front of it?’),” noted Nather who believes that there are many security products that follow the “icing” model, such as web application firewalls.

“It just isn’t the same as baking the security in to begin with,” said Nather.

It doesn’t take a malicious hacker to break “top of the cake” security, said Nather who noted, “My kids are very good at separating the icing from the cake.”

8. “Fortress security.”

While Nather likes using the “icing on the cake” metaphor to explain poor “slap it on” security, the fortress metaphor to denote “good” security is dated and overused, especially by vendors in print ads. Maybe we should just to blame the ad agencies that created them.

9. “Infosec isn’t about the cost of ownership, it’s about the cost of pwnership.”

Given that digital crime has no set known procedures, security professionals have to respond in kind.

“Infosec makes its own rules and does what it needs to get the job done,” said Troy Hunt (@troyhunt), software architect, Microsoft MVP, and author of the blog troyhunt.com. “It requires a very analytical and somewhat subversion mind that can be equal parts creative and destructive.”

10. “Defense in depth.”

Jaquith hates this catchall phrase because it means “buy lots of crap and pray something works” instead of offering up a more creative business solution.

“For example,” said Jaquith, “If your executives are being serially infected with malware, the best answer might not be to double up on anti-malware, buy an expensive SIEM and install web security agents. Maybe the simplest and best solution is to get them all iPads.”

11. “Brakes on a racing car.”

“Often when people think about security they think it is there to stop them from doing something,” said Brian Honan (@brianhonan), Principal of BH Consulting and author of the SecurityWatch blog.

If you had a very black/white view of how a car operates, you would think that the brakes’ sole job is to prevent it from going. Brakes are actually a more nuanced tool, especially on a race car. The brakes are what allows the car to turn corners, maneuver around traffic, and ultimately win the race, explained Honan.

“An effective information security program should not be seen as something that slows the business down but enables it to get to its goals quickly, safely, and securely,” said Honan.

12. “Cyber 9/11” and “Cyber Pearl Harbor.”

These terms are usually pulled out to hype an issue, build an agenda, get quoted, and make headlines. They’re also dated as Shostack noted that the term “Cyber Pearl Harbor” has been used since 1991 in his post “The Boy Who Cried Cyber Pearl Harbor.” “To be using these phrases is an insult to those who suffered or were affected by those real events,” said Honan.

13. “Risk management is like herding lizards.”

“Herding cats is easy – just shine a laser pointer or open a can of tuna. Try herding things motivated by fear,” said Andy Ellis (@csoandy), CSO at Akamai.

14. “ROSI – Return on Security Investment”

“For most security things, we can’t quantify risk, so you can’t quantify return,” said Ellis. “It’s a rat race.”

15. “Draining the moat makes it easier to scale the castle wall.”

“Infecting connected endpoints with viruses or malware makes it easier to overcome firewall and other conventional perimeter defenses,” said Larry Ponemon (@ponemon) of the Ponemon Institute, an admitted Dungeons and Dragons gamer.

16. “Holistic security”

This metaphor is presented as an ideal form of security as compared to the less desirable disconnected “point solutions,” said Ponemon who believes that holistic versus point solution contrast is arbitrary and often meaningless. It’s pure consultant speak.

17. “Two hikers in the woods and a hungry bear.”

This metaphor refers to how good does your security have to be? Does it have to be perfectly secure (cost prohibitive) or does it just have to be slightly better than the industry average (economical)?

“You don’t need to spend a huge amount of money and hire specialists to build the cyber equivalent of Fort Knox, but you do need to be more secure than other potential victims in your neighborhood,” said Andrew Storms (@st0rmz), Director of Security Operations for nCircle.

Jeremiah Grossman (@jeremiahg), Founder and CTO of WhiteHat Security, lives in Maui and prefers the sharks and surfers version of this metaphor. As much as he likes it, he does realize that there’s no advantage to out swimming your fellow surfers if the shark specifically wants to eat you.

“It’s the difference between being a target of opportunity vs. a target of choice,” said Grossman.

18. “Best practices.”

“Application Security professionals commonly advocate for ‘best practices’ with little regard for the operational environment,” argued Grossman in his post “Is It Really True That Application Security has ‘Best Practices?’” In his article, Grossman lays out a few common application security scenarios and contends there are few, if any, best practices.

“The implication of a ‘best practice’ is they are essential for everyone, in every organization, and at all times,” said Grossman.

19. “Feudal security.”

“With the prevalence of cloud services and locked-down user devices, we’re entering a world where IT security is very reminiscent of feudalism. We pledge allegiance to companies like Apple or Google, and in return they promise to protect us. We have little or no control over the security of our iPad, or Gmail accounts, or Facebook data, or Flickr photos; we simply have to trust our feudal lords. Of course, these lords don’t always have our best interests at heart, and can easily take advantage of us,” said Bruce Schneier (@schneierblog), author of “Liars & Outliers.”

20. “Privacy.”

“Privacy isn’t about keeping secrets. Privacy is about having control over how your information is disseminated and used,” said Schneier. “When you get a creepy personalized marketing message and wonder, ‘How did they know that?’ you’re not wondering how they learned a personal secret. What they knew was probably known by all your friends, or your family, or maybe your doctor. What you’re wondering is how you lost control over that information.”

21. “Risk management is like crossing a road.”

The principles of crossing the road are similar to how you mitigate risk, explained Javvad Malik (@j4vv4d), videoblogger at j4vv4d and Senior Security Analyst at 451 Research. A dirt road is easier to cross than a highway. We are more bold crossing the road if we’re alone than if we’re carrying a child. Sometimes we can completely mitigate the road’s risk if we cross via a footbridge.

The analogy has worked very well for Malik as business people get it right away. Inevitably in a meeting a project manager will reference the analogy and ask, “How big is this road we’re trying to cross?”

22. “You don’t want to be the next XYZ do you?”

In this analogy, XYZ stands for the most recent and most talked about corporate breach. Every year people will point to that company’s failure as a reason you should be scared yourself, regardless of whether your business is even in the same industry.

“If you want to make a point, it should be fact-based – not just an attempt to scare or intimidate someone into agreeing to your agenda,” said Malik.

23. “Black swan.”

This term was made popular, but not originally coined, by Nassim Nicholas Taleb in his book “The Black Swan.”

“It is an event that is considered to of such a large impact and magnitude that it plays a significantly influential part in our history,” said Thom Langford (@ThomLangford), blogger and Director of the Global Security Office at Sapient. “Taleb gives it three criteria, namely that the event must be wholly unexpected, has a significant impact, and in hindsight can be rationalized as if it should have been recognized before it happened. A commonly cited example is the 1987 Black Monday market crash.”

“I like the way that it is an event that effectively resets everybody’s expectations and ideas of what ‘normal’ is, and how all our risk management exercises that we carry out on a day to day basis prepare us in no way at all for an event of this nature,” said Langford.

24. “Security controls are like a seat belt.”

This analogy is both immature and irresponsible, said Langford, “We use seat belts so we can drive faster more safely, therefore we apply security controls so we can take more risks.”

The analogy simply doesn’t match up, as we mostly use seat belts so we don’t die when we or another driver does something stupid.

25. “Security Diablo.”

The “Diablo” in this analogy refers to the video game, but it works for any adventure game in which there are quests to achieve (goals and objectives), monsters to overcome (threats and attacks), weapons to use (countermeasures), and rewards (more funding, resources, better equipment, and promotions), explained Dwayne Melançon (@ThatDwayne), CTO of Tripwire.

Moreover, you have to be smart about your strategy whether you’re playing an adventure game or building security.

“The type of enemy you’re fighting will drive your selection of weapons and countermeasure, and research on the capabilities of your attackers helps you make even better decisions,” said Melançon.

26. “The immune system of the body”

This analogy simply does not jive.

“It is inadequate because the immune system does not require conscious action and effective security certainly does. Good security doesn’t just ‘happen,’” said Melançon.

27. “IT security is a bit like cleaning the toilets.”

A personal favorite metaphor for Stephen Bonner (@stephenbonner), Partner at KPMG, who explained it as, “When you get it right nobody notices or bothers to phone you to congratulate on a job well done, but when it goes wrong everyone is up to their neck in brown stuff.”

28. Security is only as good as your weakest link.

This analogy states the obvious, and doesn’t provide any actionable guidance.

“There will always be something in a company’s environment that will be considered a weak link,” argued Derek Cheng, Sr. Director, Security and Risk Management for EA. “It’s a matter of identifying it and implementing the appropriate mitigating controls to reduce the risk and exposure.”

29. “The first step is admitting you have a problem.”

“Like some people who drink too much, the security community has a problem, and we can fix it if we’re willing to admit we have breaches and talk about them,” said Adam Shostack (@adamshostack), blogger and co-author of The New School of Information Security, who admits to using the analogy, yet still recognizes that dealing with an addiction can often be much harder. Shostack practices what he preaches. Last year, he admitted to us on video how his blog became a botnet server.

30. “Think like an attacker.”

“Telling people to think like an attacker isn’t prescriptive or clear,” said Shostack. “Most people have no clue how to do it. They don’t know what matters to an attacker. They don’t know how an attacker spends their day…The way we say it, we sometimes imply that you should be embarrassed if you can’t think like an attacker.”

31. “Soccer goal security.”

An advertisement once ran in Network Computing magazine featuring an image of a soccer goalie actively defending one side of a goal, oblivious to the fact that his opponent was scoring on the other side of the goal. (See the photo) “The goalie is addressing the thread he expects,” said Richard Bejtlich (@taosecurity), blogger at TaoSecurity, “The threat is smart and unpredictable, attacking a different part of the net.”

“I see too many security teams misdirecting resources to nonexistent or less damaging threats,” continued Bejtlich. “Instead, they should build visibility into their security program and counter threats that are already exploiting their enterprise.”

32. Chocolate fireguard

This metaphor refers to security that only “looks” good.

“As soon as you apply some heat to it, it melts away, loses its structure and doesn’t provide the safety that a fireguard is expected to,” said Bruce Hallas (@brucehallas), who actually runs The Analogies Project to help others better understand business and security issues.