Words – and the images they create in our minds – are powerful. They can persuade, cajole, impress, seduce, and influence. In business, they can convince people to take action on an important issue, push them in a certain strategic direction, or compel them to invest in a product. Words are a powerful tool.
Given that cybersecurity has moved from the margins to the mainstream, its language seems trapped in those very margins. When the subject regularly features in the World Economic Forum’s top five global risks, it begs the question: Is the language we use still fit for purpose? Does the industry’s word choices invite outsiders, educate the uninitiated, and make itself understood to a broader audience?
Professor Victoria Baines, IT Livery company professor of IT at Gresham College, argues that much of the language and metaphors that describe cybersecurity aren’t appropriate or effective. Baines’ 2022 book, Rhetoric of InSecurity, charts how the use of hyperbole and catastrophe amplifies threats, making them appear urgent and dangerous.
The book observes how cybersecurity “abounds with military imagery and the language of warfare: at the most general level, even the very notion of ‘cyber-attack’ – as opposed to ‘cyber-theft’, ‘cyber-vandalism’, or even ‘cyber-destruction’ – exhibits martial leanings and conceives of IT operations as a military manoeuvre.”
One cybersecurity vendor described its threat analysts as “seasoned veterans” engaged in “hand-to-hand combat with malware”. Ugh. Another conjured images of a space monster to represent the threat of ransomware.
When the spread of Covid-19 was at its height, one well-known product vendor used the phrase ‘cyber pandemic’ in its marketing. “People were losing loved ones, and they were being told to panic about a ‘cyber pandemic’. Let’s not be triggering if we can help it,” advises Professor Baines.
Baines also advocates for repurposing the virus imagery that has long been a staple in security to a point where most people still talk about their security software as ‘anti-virus’. “I don’t think there’s anything wrong with metaphors; they’re useful, and we need something to make cybersecurity seem more tangible, immediate and accessible. At the same time, not everything has to be terrifying. It’s that ‘stop and check’ moment. Is it catastrophic? Is it devastating? To me, devastating is a tsunami,” she explains.
Prof Baines argues that much of the language used to denote cybersecurity needs to be more empowering for most business owners, managers, boards, or consumers. Marketing tactics that employ fear negatively affect how people feel about the problem, robbing them of agency and a sense of being able to face a threat and leaving them feeling powerless to act.
“If the dominant rhetoric is, ‘this can’t be your problem because it’s too big to solve’, the only ones that benefit are criminals and vendors,” she says.
Language can have a real-world impact on people’s security practices. For years, there have been moves to encourage people to swap passwords for safer forms of accessing online services. One of the alternatives is known as two-factor authentication, and Dr Jessica Barker, co-founder of Cygenta, has been tracking its use over recent years. In 2019, she found that 62% of UK internet users (in a survey of 1,000 people) didn’t feel confident they knew what two-factor authentication was, and furthermore, only 26% used it. “I believe that the term ‘two-factor authentication’ is a barrier in itself, like many of the terms we use,” she says. It’s fair to say it doesn’t roll off the tongue.
The US National Security Agency recently released guidance to encourage remote workers to take security precautions, but it fell into a familiar trap. “This is, unfortunately, the perfect example of why people still struggle with cybersecurity: we are making it far too complex for [people]. This NSA document, designed by geeks for geeks, is nine pages of jargon-filled complexity that I even got overwhelmed by,” says Lance Spitzner, director at SANS Security Awareness. If pros as well-versed as Spitzner are scratching their heads, what chance does the average Joe or Josephine have?
Cybersecurity professionals often don’t do themselves any favours by peppering their presentations to boards or senior management with jargon or speaking to others in a way that can come across as elitist. Instead of encouraging people to listen and take advice, it has the opposite effect. Are you picturing the monkey with its hands over its ears emoji?
“It might make us feel good to use very precise technical terms, but we have to ask: whom are we serving? If we are trying to reach a non-technical audience, we should be actively trying to break down barriers for their engagement,” says Dr Barker.
“Industry jargon and technical terms have their place. From a sociological point of view, it’s about signalling that we belong to a certain culture or group. And it can help with shorthand when we are speaking with our peers. But, technical jargon is terrible for communicating beyond our community or with people new to the specialism,” explains Dr Barker. “When people hear terms they don’t understand, it will often exclude them, undermine their confidence and put them off,” she adds.
It’s not just industry marketing or cybersecurity professionals that are to blame. The media and law enforcement deserve a slice of the blame pie, too, Professor Baines argues.
Reports of data breaches often include details of people’s information ending up on the ‘dark web.’ That might be a catchier term than ‘online services that aren’t indexed’, and sure, it’s much easier to fit into a headline, but only the former provokes fear and a sense of helplessness.
We might roll our eyes at phrases like “cyber pandemic,” but Prof Baines argues that cybersecurity can learn a lot from the response to the Covid-19 crisis. You didn’t have to be an expert in epidemiology or virology to understand sharp, punchy messages like “Hands. Face. Space” or to grasp the urgency of “Stay home. Protect the NHS. Save lives.”
“Technical jargon is terrible for communicating beyond our community or with people who are new to the specialism” Dr Victoria Baines
Inspired by similar messaging, Professor Baines is working on a public information campaign, due for launch soon, to encourage good security behaviour using positive language. “The whole idea of it ‘not being our problem’ is what I’m trying to counteract,” she says.
The campaign will not focus on CISOs and CIOs, Prof Baines explains. “I’m focused on people like family members and friends. If we can instil better and more responsible behaviour in individuals, they take that to work. The more cyber-aware and security- and safety-aware someone becomes in their [personal] life, the less they have to spend on awareness programmes at work. You can be assured that people know how to take responsibility for themselves,” Prof Baines says.
The language of risk also helps us to think about the problem in a more accessible way, she adds. “Cyber risk is an interesting phrase because ‘risk’ isn’t the same as ‘threat’ or ‘incident’. For boards to approach cyber as a risk that needs to be on their risk register at all times, I think that’s a really good approach. Because boards understand risk, they have to sign off on it; they are legally responsible for risk.”
For those in cybersecurity roles, Dr Jessica Barker suggests taking intentional steps to soften their language, especially when speaking to a non-technical audience. “If you can sense-check communications with people outside of security, then that’s a great way of overcoming the ‘curse of knowledge’ where you don’t realise that the people you are speaking with don’t have the same expertise you have,” she says.
Dr Jessica Barker shares three pieces of advice for effective cybersecurity messaging that speaks to its intended audience: