Security Communication

Lately I’ve been listening to the BBC’s How They Made Us Doubt Everything which exposes how the manufacturing of doubt is used to protect first the tobacco industry and their link to lung cancer, then the oil industry and their link to climate change.

It’s all well worth listening to the whole show if you can get access to it, but one of the episodes that stood out to me was about climate change communication and the section with Susan Hassol describing the confusing and conflicting words that scientists use. A similar assessment of the poor usage of language used in climate science in Susan’s TEDx talk.

How this ties in to IT security is that I think the community has a similar communication problem. I don’t see evidence that there are adversarial actors involved, intent on casting doubt on the effectiveness of encryption. We can assume it exists, and we should be thinking about these problems before security has the same communication challenges as climate science.

MFA, Authentication, Authorisation, backups, privacy. I know what these means to me. I have a hunch about what they might mean to the readers of this post. But what do these terms mean to those outside the industry, my parents, or my neighbours?

I know when I met my neighbours for the first time I inadvertently got in to a conversation about coding and hacking and had to clarify their meaning. As explained by Hassol, having these communication barriers doesn’t help make people understand better, and make information easier to act on.

Hassol has a published translation of commonly confused terms. Similarly, Gender Decoder, used to check for gender biases in job adverts is also based on published evidence. Where is that analysis for security terms?

NCSC does put a lot of effort in to this, and has even re-emphasised their tend pragmatic advice when questioned by those in the industry on their three random words policy. But the argument is about as effective as whether oil or coal is the largest contributor to green-house gasses. It creates uncertainty, and ultimately misses the more valuable position of secure passwords.

I want more IT and cyber security discussed in common forums, such as TV, and Movies. Those in the industry often get excited about seeing nmap or multi-factor authentication used on screen. But it’s rare that security advice is portrayed well, or in seriousness.

I often think, who is, or will be the person to communicate IT security well. Who will have an accessible, entertaining and informative TV show on how to secure your e-mail? Who will educate the public in looking for better privacy serving products? Who will go on news when a major company gets hit by ransomware or has a data leak?

Who is, or will be, the David Attenborough or Hannah Fry of Cyber Security?