Wednesday, May 21, 2008

Security Metaphors: The Good, The Bad, and the Ugly

Security analysts try to explain security concepts via metaphors on a daily basis - putting our technical language into a more approachable form is part of the job. Sometimes we manage to do a great job, and our audience picks up the idea easily. At other times, we either confuse them, or worse, we create more issues than our metaphor was intended to solve.

"But, why doesn't the security guard hear the burglar?" "Well, hackers don't make noise when they're breaking in and..."

Many security metaphors are overused, or are poor representations of the actual concept. How often do you see a lock used as a security metaphor? Security - particularly IT security, is rarely conceptually equivalent to a lock, yet almost every security program uses a lock as a visual metaphor. Some even use an unlocked lock. Should we be concerned that we are subliminally suggesting that security isn't there to our audience?

Another over used comparison is one that Anton Chuvakin complained about last year: our overuse of the castle metaphor. His points are very valid - we're not building castles, and we need to explain what we're doing more carefully. Defense in depth is relatively easy to explain - but how do you explain more complex concepts effectively? Often, we attempt to come up with a spur of the moment comparison, and sometimes we fail. In at least a few circumstances, this habit has become a running joke in organizations I've worked with.

The habit of creating spur of the moment metaphor can be ugly. Metaphors can fail quite horribly, as shown by this recent example quoting a police officer talking about fake checks and check fraud in an article in the South Bend Tribune:
"Fake checks are like that chainsaw.

"There’s always got to be that one guy that says, "I don’t hear the chainsaw, I don’t feel the chainsaw,’" he said. "Trust me, it’s there. Don’t open that door."

When you do, you’re putting others at risk.

"You’re allowing (a) whole bank to be susceptible," Zultanski said. "And our whole banking industry."
So what is your favorite security metaphor? Have you seen any huge successes, or any huge failures?

Creative Commons licensed Flickr credit to: AMagill

No comments: