Security Metaphors

shall I start okay looks like everything's ready for me to start so hopefully everybody's in the right room for a metaphor discussion if not um well there's one other option so uh because this is bsides that's my company if you want to know more ask me later uh so let me introduce myself this is me as you can see I've been at this for a while and this is what I do so this is not your normal security presentation this is a presentation on metaphor uh based on a paper that I wrote a while back the presentation fundamentally is about language how language informs our thoughts and how our thoughts form our language it's a mental Loop that we go

through that that's how neur logical structures function and uh we can go deeper into that after this talk if you're interested but I'm limited to only half an hour today so fundamentally the thing to take away is language is reality because the human mind processes reality as language uh so to introduce metaphor uh we tend in it and in information security in particular to communicate with too little attention towards our audience we often agree what individual words mean although if you look at the comment section on the internet you can see that's not always the case complex ideas however take time to explain because Concepts build upon Concepts and the faster you talk the faster you communicate the more

ambiguity there tends to exist so we focus on metaphor which is a concept in which one concept represents something else so it gets deeply meta the deeper into this you go but it's a framework it's it's a framework we use to understand the world to communicate with others and to understand how things work so there are some standard metaphors we use in security you know one is security requires safety and protection such as the castle uh willingness to stop slow down and assess or fast reliable communication all of these are metaphors that work within the security space so what does this mean um one common example of metaphor is argument of conflict this is you know a way of talking about metaphor

you know thing one as thing two and this comes out of a work by Loff and Johnson called metaphors we live by they basically created the field of metaphorical analysis um about I think 30 years ago so in argument of conflict you see language used people say things like his claims are indefensible uh using the defense model uh he attacked every weak point in my argument his criticisms were right on target that right on target language is used and I demolished his argument so you have amorphous com Concepts such as working through disagreement compromise understanding others that are made more easy to understand as physical constructs which are what we use in the day-to-day world so how is this used um

metaphor is used generally at a high societal level uh but as you dig into specific spefic Industries you see specific metaphors as you dig deeper into specific teams you might see teams develop their own metaphors families have their own metaphors and the tighter the social group the better the metaphors resonate because the more common their background is shared now metaphors is also frame thought so this is where small groups often get caught and if ideas form language and language form ideas this Loop is created and you can get caught in this Loop um a good example that I'm going to go through really quick is in um in Switzerland they make watches they've made watches

for hundreds of years and their mental concept of what a watch is is a bunch of Gears working together and the better they can make the gears the smaller they can make the gears more reliable they can make the gears the better the watch is fundamentally their concept of time is that of interlocking gears and that metaphor ran the world for years until Japan came on the scene and decided that a watch could actually be represented as a little LCD display and all of a sudden Switzerland's hold over the market collapsed because the world's metaphor for what time was started to change and we see this in all Industries um whenever there's a disruptive tendency

um that that affects the world like you know when Apple released the iPod you know that wasn't a new technology but what Apple was able to do was shift the metal for for what music was and because of that they took a strangle hold on what was going on well chosen metaphors um promote understanding and poorly selected metaphors inhibit understanding with a poorly selected metaphor you wind up thinking in terms of the metaphor not in terms of reality because the brain is matching that linguistic processing center and you're not necessarily seeing what's going on so you don't see when the environment changes and you wind up getting stuck doing the wrong things we saw a great example of this a few years

ago AP stands for advanced persistent threat and that's a metaphor that the US military created to identify attack targets with or attack sources without linking them to a specific um a specific country or a nation state so it originated in the US Military and then it hit the public Consciousness when that mandiant report came out and that's what the metaphor started to shift and we saw it shifting from attackers as Nations to attackers as AP AP as advanced malware AP as malware and then all of a sudden you have malware vendors saying we protect against AP and it turned into a marketing buzzword because the use of that construct shifted this was a failure of metaphor because of ad

hoc metaphor mapping people didn't really think through how they were using language and they lost control of it now it can also be used as a communication accelerator there's been a lot of research in this in the fields of linguistic uh philos philosophy and psychology and basically a metaphor is not necessarily a replacement for factual statements it's intrinsic to the brain and the Brain requires metaphor to handle complexity okay the more complex of a topic you're talking about unless you're talking about somebody who has the same level of knowledge as you and you're exploring it but the more complex the more meta you've got to go the more metaphors you have to use to communicate um basically it functions as

a form of lossy compression the brain uses and instead of necessarily doing a full um loss free expansion um it is used to recreate Concepts and that's why if you try to think back to something that happened back in second grade there's a reconstruction process your brain goes through you're not actually remembering what actually happened so it's it's a space saving device and this causes problems when you're talking to people outside of your field because they have different expansion algorithms for the same words you're using and misunderstandings can really abound uh the factual statements that you use when you check in and verify that other people are thinking about what you're talking about those are basically check

sums to the lossy compression algorithm and how things are working uh fundamentally though it's an iterative process and it's focused on speed but it's fundamentally imperfect so you need to focus on the gaps in communication and get better understanding where those are to better communicate with others because you have metaphoric breakdown metaphors can fail or break down when they're overly restrictive or when they fail to extend in the direction you want them to go now uh Scott uh granan down in St Louis did a study a while while ago and collected a bunch of security analogies and it's worth looking at his work it's just interesting what he was able to do uh but I'll go through a couple of examples

so this one is denial of distributed denial of service as phone calls okay and this is used to explain what DDOS is to non-technical people and the metaphor that people use is you know imagine you have a business and you've got a secretary sitting there and she's answering the phone whenever rings and you suddenly have a thousand people calling in and whenever the phone's picked up you know there's nobody there but you can't tell the difference between a good one and a bad one so you have to keep answering the phones so that's the metaphor but it breaks down uh because in modern days you've got caller ID so you know how do you deal

with that situation uh modern days you can expand a call center to India or wherever and get additional call volume so the metaphor explains the attack only up to a point and then as people start to explore it they realize you know it kind of veers off in another Direction and can actually serve to inhibit communication not improve it you also see a breakdown in um adware as paparazi so with adware you know you have a application that's installed on a system and kind of follows you around the internet logging the sites you visit the purchases you make the ads you see and it sends all the information to a third party so it works at that level

but it breaks down because the PO rzi don't usually inject malware into people's systems you know they don't do that level of attack they're not usually engaged in Theft so as you explore the metaphor it starts to fail and you have to recognize where that failure is so you can bring in another metaphor or shift to more technical communication one that I really liked that I'd never run into until I started reading Scott's work is storage as shelves and the idea here is you've got a row of shelves each Shelf has boxes on it each box is filled with stacks of paper each stack of paper is like a file each box is like a cluster on a dis and uh large

documents are stored in multiple boxes but in in a relatively random order just kind of based on what space is available in each box so you need an index and that maps to how file systems work but as you dig deeper under the hood you see that there are different formats in file systems you know EXT2 3 and four NTFS you know xfs GFS Riser if you're crazy and uh all sorts of things you can do there so these are all different types of indices that handle the different filing systems differently you also have a problem or opportunity in uh file systems called slack space where you can store things in boxes that aren't indexed or indexed in a different way

and that breaks the shelving metaphor um so you see breakdown because of complication you see breakdown of metaphor because of age you know some people don't store paper anymore you know if you talk about this kind of thing to people that are in high school you know they've probably never stored a physical file you know their entire lives everything's been digital um you also see breakdown at technical levels because things differ between different file formats because metaphor can be general or specific now it is Rife with General metaphors um you know we know that we we've all heard the internet is an information Super Highway you know you see this information going down and if

you want something faster you need more Lanes but as we learned a few years ago it's not exactly like a highway it's not like trucks taking stuff back and forth it's really a series of tubes right um so that sort of discussion can be positive or negative depending on what you want to talk about um now in 2008 there was a project to create artificial uh information security metaphors and in the the first round of this process they found the normal ones that we see you know the Fortress Castle metaphor which we've all heard cops and robbers we hear a little bit not quite so much uh Securities Warfare was not as common in 2008 but

it's all over the place now um and then they went through a concept mining exercise and they found metaphors around biology the medical field economics things like that so one example was they tried to create this architectural metaphor where you you build security into something you know we've seen that in various papers and presentations and things but that that's generally a metaphorical failure because very few of us are Architects you know very few of us are actually building something new we're more having to add something to a network that already exists or a system that already exists um you know we have to deal with already built environments and the building in model just doesn't

work uh in the health care space uh we saw some attempts to uh use security metaphors in measuring Health you know you have a health check of the network you need to do preventative maintenance which is you know dealing with a vaccines or whatever but uh you have a failure because we're not really good at using medical metaphors in the medical field to begin with you know we are fundamentally not good at taking care of ourselves so if you take a failing metaphor from one industry and apply it to another you just have a failing metaphor over there too um the better you understand the metaphor though you can anticipate the breakdown and that results in favorite

metaphors so I ran a contest a few years ago on a private security mailing list for people to share with me the metaphors that they found that worked best so as expected the castle metaphor is one of the first ones popped up okay so Michael gave me this one and in this you see a metaphor you know Securities like a castle you've got a wall you've got walls a moat archers guards a drawbridge and a secret door so people can bypass the hassle if you need to and you know we got to see the Secret Door quite a lot in The Lord of the Rings movie uh with legalist coming down and you know doing crazy elf stuff so this

is the core of the metaphor you know you have a problem with untrust the town's people they know where the door is they could be compromised they could tell the attackers what's going on if the attackers focus on the people not the infrastructure then uh the back door will be used and it will be used for attack so the metaphor is useful but it completely falls apart as soon as the person you're talking to says oh but I trust my people right and uh you have to understand where that fail point is so if it comes up you can shift you know pivot and start talking talking in a different way and you know in this case

have a discussion based on trust this is another example going to a doctor you know somebody goes to a doctor for the first time in many years might be a lot of findings from the blood tests the the pre blood pressure tests whatever is going on which ones are actionable so here's the core of the metaphor you know I mean the younger you are the more time you have to deal with some of these things you know if somebody goes to the doctor they're 25 haven't gone for 10 years it's very different than if somebody goes to the doctor they're 85 and haven't gone for 10 years some things are more fixable than others and this matches the

security fits at the beginning of the product of the project kind of metaphor right but it's going to fail if people dislike doctors you know if they're big Homeopathy Believers something like that so you have to know what how the audience thinks so you can choose these mental algorithms that are going to exist in their brains too this was one of my favorites um security as a submarine so a man's submarine it's useless without the people it has to protect the people and get them moving you have to be a little bit careful about the doors you know doors on a submarine kind of important uh because they serve two functions keep the people in and keep the water out so you have to

have a breach plan what happens if water gets in how do you clean up how do you make sure the security is still good in that situation you know there's a lot of insight in this one basic metaphor it's very useful it's highly extensible highly flexible fast and easy to understand and it's completely derailed when somebody says what's a submarine right this works in the us because we went through World War II we know what submarines are it's in our movies it's in our books but if you take this to somebody who lives in the desert in nambia they're not going to have any idea what you're talking about and then you've got the sports

metaphors so uh this one you know metaphor firewall is a defensive line other Technologies as linebackers good code AS cornerbacks wafs as safeties sock as coaches Elite as defensive coordinator like the submarine it's highly highly flexible but it's a total failure if you don't know football I don't know football I got this metaphor and when I was reading it until I got this from Jonathan I had no idea what cornerbacks and safeties did it worked in Reverse for me this is what I understood of the metaphor it helped me understand football I mean to be successful metaphors have to be selected to facilitate communication and the introduction of metaphor should decrease complexity which gets into audience so

most businesses have lots of stakeholders and uh this draws from a paper that Forester wrote called planning for failure now the paper itself doesn't have that much that's new in it but it does lay out the stakehold holders in a useful way so if you uh look at the stakeholders in a business you can use Concepts that are adapted to match the metaphors they're likely to use and this is going to be better accepted than technical facts because you you don't have to keep backtracking to explain the technical issues that are behind what you're talking about so in like if you're talking to all employees you're not going to have a lot of shared background to to work with

so you have to use General more cultural metaphors um a lot of people particularly in the US you can assume most people have gone to school at least to a certain extent so security is learning is going to work a lot of people have families so security is protection Works um people that are rich enough to have vehicles or homes you can use security as maintenance uh you can also use security as Resource Management dealing with finances now in it it's a narrower group more shared background so you can you can use metaphors that resonate a little bit better if you're talking to Windows people and you're a Linux person you can basically link technical Concepts

between the two even if the technology itself is different um you can remap security Concepts to General Tech issues you you can say a denial of service attack is like a runaway process a remote code execution is like a user left themselves logged in and somebody walked by and did something on their computer you know they'll understand that um if you have if you're working with law enforcement you know there's a breach you've got law enforcement people coming in uh law enforcement is an isolated culture anybody here in law enforcement right now okay so if you work if you work with law enforcement people you'll notice that uh there're tend I've seen two types people that really are driven to

protect others and people that are really driven to control others and it really helps to know which type you're dealing with when you're talking so you can select the metaphor appropriately um we often see this with the FBI who's who's worked with the FBI ever anybody in infragard okay few people so in general since the camera is not pointing at you who has a negative opinion of the FBI anybody okay um most audiences there's more people raising their hand for that one um the FBI has a the FBI has a serious metaphor problem problem because whenever they're in the news or on TV they're either portrayed as evil or clueless you know you get the

the the xfiles view of the FBI and you get the media saying oh hey they're spying they're doing this they're doing that they shouldn't be doing that and all the good stuff doesn't show so um unless you you really understand what's going on there's this communication gap between the FBI and the media between the media and everybody else so there's two areas where communication can fail and it almost always does so if you're dealing with law enforcement unless you know otherwise you have to assume they're non-technical you have to frame the discussion around why it matters focus on security as protection damage and capture they'll understand that you'll get past those initial communication hurdles and be

able to dive into what matters pretty quick and finally there are external service providers these are vendors companies you're working with and these people are highly concerned with blame because if you can lay a problem at their door you could leave they could lose a lot of money so they almost always fall into blame deflection mode and you have to understand that and work through it um so the business model you have to understand the business model is almost always higher quality or lower cost and both models if the blame falls on the business they're gonna the the blame risks the business that they're facing so they have very strong incentives not to be blamed now um metaphor conflict can um

will happen and they will try at their hardest to prevent the blame from falling on them so Security's blame is only going to work if and only if you can lay the blame somewhere else so it tends to work better is focusing on Security's Discovery telling them hey I need your help to figure this out you know we're a team on this we need to make sure it doesn't happen again so you can get deep enough into their system their technology their people and understand what actually happened then if it's actually their blame because you've been working with them together for a while they're more likely to work with you on resolving the problem so how do you do this there are

lifestyle metaphors that social Engineers have really been focused on for a while they don't really call it metaphor research but that's what they're doing so you stereotype people you can look at people by age um Generations tend to communicate better internally you can look at by race you know you get language choices there issues of prejudice that come up a class has economic options societal expectations Hobbies you know baseball cooking photography if you know what somebody's doing you can understand a little bit about how they think and you can select metaphors appropriately in summary people understand best what they already know so if you're going to have to regularly communicate with somebody who who does fishing you know you should

probably learn a little bit about how fish work you know how people find the fish how you know what kind of gear they need things like that if somebody does a lot of cooking on the side you should know about food prep you know security as prepping the ingredients ahead of time so you're ready if you need them later you know those metaphors will work if they're a baseball fan learn a littleit little bit about the game if they're a football fan don't worry about it because it's completely incomprehensible um but basically people will not attempt to understand you until you attempt to understand them which is where personas come in now in Agile development personas are used

intrinsically as part of the development process in a lot of cases and this is basically identifying a person to help uh Define applications and systems how to design systems how they're going to be work working with and people assign names and generalities help but specifics help more now word of note you have to be careful when using stereotypes this way because it's very lossy compression they're basically metaphors that allow for fast Framing and they can be used to trap real people in boxes that don't match them the reason to go through this exercise is to speed up communication and make it more accurate so if you are trying to fit somebody in a stereotype that doesn't

fit The Stereotype has to change because the person will not now the three we're going to go through are us-based metaphors if you're working outside of the US uh you may need to adapt this accordingly so three examples here and I'm done looks like I might actually hit time so this is George George is white college educated 50-year-old bank manager he uses computer mostly for email and web browsing uh he's divorced amicably he's got three kids uh one is starting a family so he's got one grandchild one in college one still living at home he likes to grill outside on nice days he attends church but not regularly he's dating a woman 15 years younger than him which may be the reason

for the divorce um played basketball in college he has fond memories of it votes regularly tends to vote Republican and he's renting a house as his ex-wife kept the first house now this information is generally public data if you use molo a little bit of Google searching you can find this kind of stuff out for almost anybody so what does this tell you metaphors that would work well with George Security's learning will resonate because he went to college Security's doing what's right works well with family people and conservatives security um you know as cooking works well you know he likes steak you know he likes to grill so you know that you know things some things

take time you know you have to have everything ready you have to select properly things like that uh security of sports works well because of the basketball he did in college and Security's protection works well because he has a family so let's look at another one this says Dana black college educated skilled with computers but only as an end user 25 23y Old insurance agent she's entrepreneurial she runs a party planning business on the side she's dating not very serious about it has some credit card Deb debt due to youth she regrets the debt but not what she did in her youth she's very religious attends a christian-based church each Sunday volunteers there also volunteers at Big Brothers Big Sisters

votes occasionally Democratic dislikes sports but does like to read mostly Mysteries so what does this tell us because of the culture and the college background security as self-improvement will work well um security as risk works well with entrepreneurs security as Duty works well with people who are highly religious um security is learning anybody who went to college who likes to read that's going to work Security's Discovery will work because she likes to Read Mysteries and security is helping others you know as a Democrat as somebody who volunteers that's probably going to work better for her than for other people so the final example this is Tommy Tommy second generation Vietnamese High School educated highly skilled with

computers but self-taught 35-year-old database administrator he has a long-term boyfriend but no plans to legally marry uh not involved politically at all lives with two dogs he is Buddhist not very serious about it financially stable saving for retirement uh learns about one computer language per year plays online role playing games in a spare time he has actively avoided business for his entire career and he's thought by managers to be highly abrasive in meetings but his technical staff loves him because he's good at solving problems so how do you talk to somebody like this security is learning works because he's self motivated but avoid security as education he's not going to have a college background to draw upon he's

completely self-taught uh focus on technology analogies so lytic security as Microsoft Security will work document security as data security will work um security as care works if somebody has pets it's not quite the same as security as protection um and then security as Improvement works because of the technology piece that he likes to do so um there's some further reading you can go through there are several resources out there um or you know you can download my lean security comic which covers some of this kind of stuff so I don't see any cell phones going up so there's my contact information any questions yes um they're called tag clouds and are various uh systems online that you

basically upload the image the the blank and then a word list and it it Maps it in um most of them have gone pay since I made this presentation and I don't know of any free open source ones so there's a project for you anything else yes the

advice um so you can read that there's a book called images of organization by Gareth Morgan which uh it is a massive Tome but it's it's an important read and it talks about how metaphors are used in businesses and once you start thinking about it you start recognizing them and it's really a matter of training your brain to recognize them than to come up with them because once you recognize them you're kind of building that list in your mind of different things and then when you have the list you can try them out on different people um social engineering the art of human hacking by Chris hadn goes into some of this stuff as well not not directly because it's a

social engineering book but uh those are two good resources to get you

started depends on who you're talking to

well I I know what you're trying to say I'm going to guess that in uh some cases like if you're talking technically like most people at this conference you can just talk Tech you don't need to delve too much into metaphors U because we all have a shared technical background uh where metaphors really come into handy is when you're talking to people outside of your field and in that case you're more trying to understand what's going on and you're not as likely to get caught up in the this metaphor is tiring metaphors get old and tired when they're mapping to things that you already have mapped and you don't need to convey new data right metaphors are useful for new

data and bringing people into a conversation in a new way um they're old and boring if you already know the information so I mean that that's more paying attention to you know don't tell people stuff they already know than anything else so any any other questions

yes um well so extending the metaphor is a problem but targeting metor is a problem as well because if you target target it too narrowly and the person doesn't have the background you know they're not going to have the expansion algorithm in their brain and it's just not going to work at all um so try to make them broad enough to cover whatever space you know is in their brain but the more you can learn about them the more tightly you can Target so it's it's less about always do this and more about really know your audience do your reconnaissance to figure things out before you talk to them anything else all right that's

it