Cyber by any Other Name Would Smell as Insecure: The Language of Security - Jessica Barker

Thank you very much. Hello everyone. Thank you so much um for coming to listen to me speak. Um thank you very much to Besides, the organizers, the sponsors, everybody here. It's a real pleasure to be here today um talking to you about the language of security. Somebody said to me last night, they saw my title and they're like, "What on earth is she talking about? Cyber by any other name would smell as insecure." Um so before I get into my talk which is all about the language of security, how we talk about security and particularly the notion of cyber security, um I'm going to introduce myself for those of you who don't know who I am. So I am Dr.

Jessica Barker. I am not this kind of doctor but this kind of doctor which means I can't help when this happens because my work is much more serious. I work in information security. I am not one of these or one of these. And I don't often go to work dressed like this. Casual Friday only. Um I am a consultant. I work for myself as a consultant. So if you ask Google image search what a consultant does, you will find out that I create success and I solve puzzles. So everybody gives me high fives and fist bumps. Yay. Um, as as well as my day job as a consultant, I also get to do fun stuff

like this. So, I speak at events like Bides and Steelcon, EMF Camp, and I do a fair bit of media work, usually talking about the latest cyber attack or cyber breach. So, you will see me in the media looking shocked, looking angry, looking disappointed. and as of last week looking very sad. Uh so working in information security I don't need to tell you all. Um it can make you angry. It can make you disappointed. It can make you uh angry and disappointed and sad. Um so I try to relieve those pressures by doing stuff like this and stuff like this, stuff like this. And I also like making things like this which is an alarm

clock, not a bomb. this which is a kitchen timer and uh a little bit of jewelry making as well. I've also done something right now that I don't think anyone else in this room has done which is I have stolen from the man who rob bank robs banks himself. If you don't know what I'm talking about, go to EMF Camp and see Freaky Clown talk about robbing banks and you'll realize that I just shamelessly ripped off his intro. So uh cyber by any other name would smell as insecure. I'm talking today about the language of security. My background is in sociology, a little bit of psychology, civic design. So very much from the human side of um things and I I

apply knowledge of society, knowledge about how people think and how people act to my work in cyber security. As a day job, I'm usually working with companies um to help them understand cyber security with awareness raising stuff, communications programs, cultural change, and looking at policies and procedures and how you drive those through an organization. I also do bits of research as you'll find out later on in the presentation. So, I'm going to start really quickly by looking at some definitions. um we use um lots of terms in this community in this industry and also outside of the industry um when we're talking about what we do. So information security I think that is what most people would

probably say they do over cyber security. Most people prefer the term information security and if we look at NIST I have a definition there um protection of information and information systems from unauthorized access use disclosure and it's particularly around CIA confidentiality integrity and availability of information. It's not in the dictionary information security. So it's not in popular lexican. If it's not information security, is it data security? This is the protection of data um from unauthorized modification, destruction etc. So for that you have to ask well what is data? What is data and not information? And data is electronic. This is according to NIST. So data security is a subset of information security if we look at like that also

not in the dictionary so not in popular use. Information assurance is often you used and information assurance is about protecting and defending information and systems by ensuring CIA. So we've got CIA and then we've got non-refudiation and authentication. So a little bit wider also not in the dictionary. Sometimes people use information assurance I have found interchangeably interchangeably with information security or they'll use it kind of to talk about audit stuff and ISO 27,0001 um and use it in a slightly more technical way. So there we have information assurance. Finally we come to the dreaded one cyber security. the one that most people uh roll their eyes at probably in this room. Cyber security according to NIST

protecting or defending cyerspace from cyber attacks. So we need two more definitions to understand that one. What is cyerspace? That is the global domain of information independent interdependent networks information systems. It is the internet. It is telecoms. It is computer systems. cyber attack is an attack in that space. Um, and so it's particularly looking at disrupting, disabling, destroying cyber space. Cyber security is the one term in the dictionary. So cyber security is in the dictionary. The dictionary has a much more straightforward definition for cyber security. Measures taken to protect a computer or computer system as on the internet against unauthorized access or attack. So there we have it. cyber security has got into the dictionary. So what does that mean? How

come that term has got in the dictionary when none of the others have? And the very simple answer is usage, popular usage. People use it. So uh Miriam Webster um people who make the dictionary, they track words that are being used and their meaning. And when they when there gets to be a certain level of usage in society, that term will go in the dictionary. So they have deemed cyber security as being deserving of going into the dictionary. When we talk about cyber and cyber security and cyber space and cyber attacks, we think of them as being uh very new terms. We think of like, you know, the last few decades anyway. Certainly more new than information. But

if we look back um through history, we find um that cyber has evolved actually from ancient Greek times and it's been used throughout time to mean kind of steering directing governing um and it was taken really forward in the 1940s um as cybernetics and this was meaning control and communication theory and that was me whether machine or animal. So not just restricted to what we would traditionally think of as as kind of cyber space but relating to humans as well as machines. Cyberspace came along in the 1980s um as science fiction fans will know it was first used um coined by William Gibson um in his short story Burning Chrome and it then became much more popular in

Neurommancer. And I'll get on later to why Gibson chose cyberspace um why he chose that particular particular um term and he went through a series of thoughts and he he dismissed and considered um other terms but settled on cyber space. So cyber has been around for a while and it's been meaning directing, governing, controlling commanding um and used to to kind of mean this relationship between machine and animal. But when it's used in this industry, um it often elicits this kind of response. So people don't generally um within this industry want to take cyber or cyber security that seriously to the point where it can make people irritated and angry and it can make them

think you know cyber meant a whole different thing 20 years ago and now people are using it in a business sense uh or in an IT sense and um the industry I would say in general is not particularly happy with that. So I, as I said earlier, I do research and I do that for companies, but I also do that out of my own interest. Um, so earlier this week, I was thinking about this talk. I was thinking about cyber security, information security. I was thinking about definitions. So, I asked the good people of Twitter, knowing that most of my followers and most of the people I follow um work in this industry, I asked, "Which of the

following terms do you use to mean protecting against hacking and other data loss?" Now, I struggled a bit with how to phrase the question. I wanted it to be kind of generic and kind of high level and something that someone outside of the industry would relate to as well. So, there are lots of holes you could pick in how I chose to ask that question. Um but I think you can see the general point I was making. It got quite a good response. Um so 400 votes and the vast majority of people relate to information security. Um last is data security. So people were not keen on that. Um cyber security was kind of middling but still that was less than

half of um cyber of information security. So people relate to information security much more. they use it much more and um I thought it was interesting to consider that in light of the definitions I went through at the start. So if we look at the question I've asked and I didn't mean to be quite as precise as I was but I said hacking and other data loss. So I am probably alluding um to kind of cyber space if we think about these typical definitions. I am talking um about electronic information. I'm talking about the internet, telecommunication network, computer systems. And as I said earlier, information security probably sits above that. So if we're being technical,

I would argue that cyber security, if we go off the NIST definitions, is actually much more applicable to the question that I asked. But anyway, we'll move on from that. I asked Twitter because I particularly wanted a response from the community. I particularly wanted people who work in the industry. Um, and I also wanted to hear what they had to say about it. So, I got loads of conversation and discussion. I could have picked loads of tweets to focus on. Um, but I just wanted to put some up here um to try and reflect what people were saying. I really agree with Chris's point at the top and Chris Ratcliffe isn't here today. Um, but he came back

very quickly to say they all mean the same thing and different things and that's confusing. Um Carl who may be here today. Hey. Hello. Carl said um and this one I also can relate to. Um I use cyber when providing headline marketing information and information IT security um at all other times. So when he's talking internally I guess and with colleagues um using IT security and talking externally trying to engage with the media using cyber security. Um a very common kind of response was the one as soon as someone uses the term cyber I instantly stop taking anything that person says seriously. And lots of people have said that kind of thing to me today when they've been asking what

you're talking about and I'm like uh the term cyber security. um and they will kind of roll their eyes and you know I get like this kind of stuff and um cyber is like the dreaded word. I thought Michelle's point was really valid um because I was saying cyber security probably resonates more outside of the industry. It resonates more with the public. It resonates more certainly with the media. Um and her concern was if that's the case then other sort of less flashy, less technical data loss and information loss. Hello Michelle. um may be overlooked and not taken as seriously. And I think that's a really good point. But I think I would argue that in the industry we delineate

between computer information and say paper information. But I think sort of to people in the media or at home, if a bunch of records are lost, whether they're on paper or whether they're online, um it's the impact that they're interested in. Um, and I tried to talk to some people who said, you know, that they didn't like cyber security. Um, this response here, I'm so happy cyber security is not in the lead. Um, I tried to say, you know, why is that? What is it that you particularly dislike about it? And the main response I got back was that it seems like a hype marketing term. It seems like something that's just a buzzword. Um, maybe used to kind of um,

sort of fear-monger in the media. you know, it's a big like screaming headline cyber cyber cyber. Um, so this is what the community thinks, um, according to my poll on Twitter, and some really interesting, um, and important points were raised. Um, I then asked sort of general public, so I did a poll. I was looking for a thousand responses, but I got 737, so I got a pretty good response. I asked exactly the same question. I actually asked this one first, which is why the terming was probably a little bit clunky, but I wanted to ask the question that could relate to anybody outside of the industry. And what I found probably won't surprise anyone, the term cyber

security resonates the most um with the general public. What did surprise me with the findings after that? So, information security, which is our top response, was last on the list for the general public. It was actually just slightly below e security. E security like I I really questioned even putting that one in because I just thought what is that? But in looking around at terms and in you know in reading up for doing this talk I saw a couple of references to e security. So I thought I'll put that one in as a bit of a joke. And then that's more popular than information security. So that's weird. I didn't put that in the Twitter

one because you can only give four responses. Um, and I didn't think anyone was gonna come back with that. Um, but I think if I'd asked the people of Twitter that, they probably wouldn't have picked ec. And I know you get e-commerce, you know, an email. Um, but that to me seems like a more outdated term uh than cyber security. Second, u most popular, as you can see, not far behind cyber security is data security. I don't know if that's because I put data in the question. If I'd put information in the question, maybe I would have got a different response. And this is the problem with doing research is that it always opens up a whole host of other questions. But

what I'm hoping you will take from these last few slides is that the general public relate to cyber security. It's made through kind of the barrier. Um, they relate to it. They think of it when they think of data loss. They think of it when they think of hacking um far more than they think of information security. information security is the least um popular term, the one that they relate to and resonate with the least. So, at the minute, we've got a big gap between what we're saying and what we relate to and what they hear. Why does this matter? Well, language has been around for a very long time, 150,000 years. Um, potentially it's

mainly used as speech and it evolves as we talk. And we know it evolves. We know that language changes a lot and we know that sometimes people don't like this and sometimes this can threaten people. This is why you get people occasionally up in arms about text speak and you know everyone using LOL um and OMG and stuff like that. People worry that language is being destroyed and that you know we had a set language and now we're losing it. But really language naturally evolves um and all sorts of words change. So yeah, cyber meant something different 20 years ago, but the word used to mean someone who was messy and untidy and didn't do housework. So that word's

changed a little bit. Wicked. Wicked used to mean someone who was actually evil. Um, same with sick, you know. So words change a lot and evolve. And when we say something, it is always ambiguous. You can say something and it can easily be misinterpreted. So when you're trying to communicate something, what you're actually always doing is you're relying on mutual knowledge and understanding. If you're not doing that, then you're just talking and people aren't going to be listening. So, if you are what is called a cooperative speaker, then you need to think about how you're crafting what you're saying in a way that bears in mind the listener, what they've experienced so far, what their assumptions are, what

their knowledge is, what their interests are, how you can phrase what you're saying so that it will actually get through to them. And I think I read some stuff that kind of said when you're speaking you are automatically thinking how can I get my message heard? How can I say something to make sure that people actually engage with it? And I think you usually are thinking that. You're either thinking that or you're thinking how can I impress the person that's listening to me? And you have a choice of either making yourself heard and probably still potentially impressing them, but how can I make myself heard or how can I sound impressive and knowledgeable? How can I

either bring them in or shut them out? And that's what language does. It either engages with people or it puts them off. And what we need to remember when we are communicating is we are talking on kind of three levels. When we are in an industry and we're trying to communicate a message or we're trying to change behaviors or we're trying to drive some change, we're doing that with individuals. So, we're doing that kind of one-on-one with people. We're also trying to do it with organizations. We're trying to shape the way organizations act. We're trying to make organizations more secure. We're trying to make them understand our agenda, maybe give us more budget, um give us more resources, take what we're

saying actually seriously. And we are also trying to change on a higher level than that. So we are thinking about the law and making the law understand what we do, why it's important and how they need to understand and respect what we do to shape laws that are appropriate. So we are communicating on three levels. The micro level with individuals, the miso level with organizations, and the macro level um with governments and societies. And what we're in danger of doing, if we don't shape our language in a way that people understand, and if we don't shape our language in a way that the audience can engage with, then we're not going to affect change in the way

that we want to, we'll just build silos and it will tumble like the Tower of Babel. And if we don't have a frame of reference that is fitting and understood because you may think it doesn't matter whether it's information security whether it's cyber security um I can talk my language and I don't need to be heard but there are many examples where we've seen people thinking that they're being understood people operating in a certain way and that having um extreme consequences when um they aren't actually fully understood. So for example um NASA built a um my example has completely gone out of my head um so I'm gonna move on but basically a frame of reference

distraction where are you callum I'm going to use distraction from your talk earlier um a frame of reference is really important when we're talking to people because what we're trying to do is shape their choices so we are trying to communicate with individuals organizations and societies in a way to lead them down the right path. And we do that by framing our communications and our language in a certain way. Whenever we talk to people, we are talking with an agenda. And we can either take those people with us or we can close them off. And of course, um when we're trying to affect change, we inevitably have to relate with the media. So the media, as we all know, in

the last couple of years have really engaged with cyber security. they are really interested in cyber. Um they think it's interesting. They think it's a headline grabber. And this is why cyber security stories have risen research suggests by over 400% in the last couple of years. Um and we saw I or I personally saw after talk talk last year the effect of the media. So the media really latched on to talk talk not because it was such an amazing attack or because the attack itself was um a gamecher but because they had a story in the CEO um and how the communications were carried out. Um and after that for me personally I found a massive increase in incident response

people interested in how to craft their incident response plans in doing incident response tabletop exercises you know in not being the next talk talk. So the media has a huge influence um it has an influence with organizations and it has an influence with individuals and the media really love cyber. You are not going to see, as somebody said earlier to me, you know, you're not going to see on the front page um reverse shell. You're not going to see that. You're going to see cyber attack. You're not going to see information security breach. You're going to see cyber breach because it just resonates with people as my research suggested earlier much more than information security.

Why is it that it resonates more with people? Um one reason I think could be down to the fluency heristic. So heruristics are um rules of thumb. Huristics are ways of your brain making decisions and going through choices um without really thinking about them. So you automatically do something, make a decision, think a certain way because your brain just kind of operates on autopilot. So there's all sorts of different huristics um that are quite interesting when it comes to cyber security. Um, and one of the ones that I find particularly interesting when it comes to communication is around fluency. And the fluency heristic is very simple. It's basically the easier, more straightforward, more concise that you

can explain a message, the more likely you are to affect change. So if you can explain something in a simple but elegant way, then that will have far more impact than if you use technical jargon. Your technical way of explaining it might be more precise, but it won't have an impact. And for me, this really resonates, for example, with two-factor authentication. Two-factor authentication is quite simple and it is pretty effective. But I did some research last year that suggests that um only 80% so sorry, only 20% of people use it. So 70% of people said that they didn't understand two-factor authentication. 80% of people said they don't use it. So, it's simple, it's effective, people aren't using it.

And I think one of the reasons is when you tell people use two-factor authentication, their brain just switches off. It sounds boring. It sounds complicated. It's not a fluent term. And I think this is why cyber security resonates as well. Um, because it sounds people have grasped hold of it. It sounds understandable. It sounds something that they can relate to. So essentially language matters because we're trying to convince people to care about something that they don't understand. There is no point as an industry us working on something on us gathering data on us trying to be precise um and secure if we can't effectively share that with the people who actually make a difference. The people who are actually

on a front line clicking on fishing links, giving away data. um downloading malware. So for me, a bridge has been built and we need to use it. As an industry, we want people to listen to us, don't we? Always complain that we aren't given enough time um and attention and resource in an organization. Well, we can't do that and then complain when they use a term and they're interested, but we don't like that term. So essentially for me it comes down to what is our goal? Is our goal in cyber security about being the most technically accurate? Is it about using terms that for us make the most sense and that we feel are right or is it

about actually enabling the business affecting change making people organizations and society more secure? And I mentioned Chris Ratcliffe earlier with one of his um comments in my response um in his response to my poll and he said what I had basically concluded as well which is that we need a public focus glossery of security terms and resources. We need something like yeah we've got NIST we've got all sorts of um definitions that we can use but they don't really apply to the public. They don't really apply to the media. They aren't particularly relatable or accessible. So, don't we need something that makes this a bit more relatable to the public? Now, you may have heard everything that I have

said today about cyber security and you may still of course think, "No, I hate cyber security." Um, which you are perfectly entitled to do. But while you may hear cyber and think this, when the general public hear your whining about it, they will probably hear this. So I mentioned earlier William Gibson and cyerspace coining the term um in the 1980s of cyerspace and I watched an interview with him as to why he chose cyerspace um and he said he went through other terms data space didn't work and infospace didn't work but cyberspace it sounded like it meant something or it might mean something my whole delight was that I knew it meant absolutely nothing so I

would then be able to specify the rules for the arena. So, you may think that quote contradicts what I've said today um because he said, you know, 20 years ago it meant absolutely nothing. I would argue that now it does mean something, people do relate to it. But also, if to some extent that is still true, if it still doesn't quite mean something, if it's not quite as tangible as it could be, then aren't we the people who should be specifying the rules? If the public and the media have grasped hold of this concept, if we want them to grasp hold of it, if we want to engage with them, then shouldn't we see this as an

opportunity for us to start shaping what cyber actually means? And going back to my bridge metaphor, trying to build and use that bridge um to relate with them. If you have questions or comments, I would love to hear them. um whether you want to make those now or while I'm around today or feel free to email me or tweet me. And um I haven't written up what I've done today yet, but I will write it up and put it on my blog, which is cyber.uk. Uh surprise, surprise. And you can also follow me on all of the social media stuff. Do we have any questions? There is a mic if anyone or comments or arguments.