Cybersecurity metaphors: from simplifying complexity to promoting bad decisions
About what wars and burglary have in common, and ways to achieve long-term health
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Metaphors as a way to simplify the complexity
Cybersecurity is a complex discipline, and its complexity is continuously increasing following the increase of attack vectors, technologies, and the resulting number of cyber incidents. The human mind, on the other hand, does not like complexity. It is continuously looking for patterns, familiarity, and heuristics to make sense of the increasingly complex world surrounding us.
This is where metaphors come in. Metaphors abstract complexity by drawing a comparison between complex unfamiliar systems and simple familiar images, thereby making it easier to grasp abstract concepts.
Metaphors in cybersecurity
Cybersecurity vocabulary is a fascinating area to explore. From DMZ to whaling and worms, we are surrounded by terms that have been adapted from other areas of life. While there is a virtually unlimited number of cybersecurity metaphors, I would like to highlight the most common two.
The Burglary Metaphor
How it goes: Cyber criminals are the 21st-century burglars looking to “break into” the house/safe/castle, and take all valuables they can find, including money and information.
Villain: attacker looking to break into the home/safe/castle, etc.
Who is responsible for defense: the owner of the home/safe/castle, etc. (businesses, organizations, and people)
Reality: Not all cyber attacks are financially motivated. Unlike castle fortress which can often be examined and tested, security flows and vulnerabilities are not always visible to security professionals. Technology products consist of millions of lines of code, and each line is a potential way in. Imagine if any one faulty brick in a 100-foot tick 100-foot tall fortress wall could mean complete destruction to the whole castle. Lastly, it is easier to identify a person or a group of people who broke into the castle than it is to catch an attacker accessing a system remotely and masquerading as one of a hundred thousand legitimate users.
The War Metaphor
How it goes: We live at the time of cyber war. Every day millions of cyber-attacks need to be prevented, cyber terrorists that need to be stopped, and cyber defenses that need to be put in place. The threat is imminent, and everything is at stake — human lives, critical infrastructure, as well as the country’s sovereignty and security.
As some nation-states are continuously investing more and more to grow their cyber capabilities, a war metaphor has become the most widespread.
Villain: an army driven by the desire to take over
Who is responsible for defense: the government and national military
Reality: War metaphor implies a loss of human life and catastrophic destruction which, while both possible, have not yet been observed as the main forms of losses. The war metaphor puts decision-makers in a state where the urgency of response appears more important than holistic assessment and planning of the defense capabilities.
Challenges with cybersecurity metaphors
Metaphors lead to an inaccurate understanding of the topic
While metaphors are useful for explaining complex concepts at a high level, they are always an oversimplification of reality — a fact that if ignored, can lead to an inaccurate understanding of the topic.
Let’s imagine a person does not understand the complexity of security, and someone uses the castle metaphor to explain it. Now, the same person who still has no idea how to actually secure an organization, may develop a very strong opinion and start insisting on very specific suggestions based on their deep knowledge of fortresses. They may suggest that the team “starts by building the moat” (whatever that means) and “only then builds a watch tower” — suggestions that are disconnected from the understanding of security.
I find this fascinating as in most other circumstances, we do not go that deep with the metaphors. If somebody called you a “black sheep”, you are unlikely to get into a debate about how rare the Black Welsh Mountain sheep is as you understand what the metaphor is supposed to mean.
Metaphors distort reality
Security metaphors tend to shape our thinking and prime how we act in different circumstances — something metaphors were never meant to do.
Security metaphors emphasize a small number of features in an otherwise extremely complex reality and invite people to make important decisions based on this limited, distorted view of reality.
Metaphors offer little actionable advice
While undeniable useful for explaining complex topics to the broad public, cybersecurity metaphors offer little in terms of advice to people responsible for making decisions — security professionals, policymakers, and business leaders. Even more damaging, it can sway people to make decisions based on what makes sense in the allegorical situation such as preventing public health crisis, but not in the actual information security crisis (like leakage of citizen’s private information).
Metaphors enable vendors to sell more security tools
Security vendors have been taking advantage of security metaphors to argue that the more tools (“weapons”, “traps”, “pills”, or any other ) the customer buys, the more likely they can prevent or respond to a cyber incident.
How cybersecurity metaphors lead to specific decisions: a scientific approach
A number of researchers have been trying to understand how cybersecurity metaphors impact decision-making, including the following:
Cybersecurity as Metaphor: Policy and Defense Implications of Computer Security Metaphors
War, Health and Ecosystem: Generative Metaphors in Cybersecurity Governance
When good metaphors go bad: The Metaphoric “Branding” of Cyberspace
I find one observation particularly fascinating: cybersecurity metaphors don’t just simplify the inherent complexity of cybersecurity, but in doing so they suggest specific solutions.
As one of the researchers who looked into this problem explains,
“[Cybersecurity metaphors] prescribe certain types of policy solutions. As generative metaphors, each of these metaphors frames computer security challenges as analogous to another social problem and, in doing so, implies that the most appropriate and logical defensive measures would be those that mirror the steps society has taken to protect against either robbers, wars, or diseases. Each of these metaphors has strong implications for the causes, motivations, and most appropriate protections for cybersecurity threats. These implications range from who is responsible for defending computer systems, who is threatening those systems, and the nature of what is at stake if those threats are successful.”
Source: Cybersecurity as Metaphor: Policy and Defense Implications of Computer Security Metaphors
Another researcher who came to a similar conclusion puts it as follows:
“Metaphors do not just suggest a general approach, as many policy analysts suggest. On the contrary, they can prescribe specific policies: policy-makers in a cyber war must protect their population, avoid attacks on taboo targets, and punish and deter wrongdoers. In contrast, policy-makers in a cyber ecosystem must commit to mitigating systemic risks that threaten this shared environment.”
Source: War, Health and Ecosystem: Generative Metaphors in Cybersecurity Governance
My favorite cybersecurity metaphor
The two metaphors discussed above reinforce a violent, fear-based way of thinking, which I think does not give us what we need to build the security of the future. When you think of cybersecurity as a way to defend from the never-ending stream of targeted attacks, it is tempting to continuously increase security budgets, hire more people, and invest in tools to strike the enemy more effectively — something that may or may not result in better security long-term.
As a big believer in first principle thinking, I often think about the similarities between security and health.
Before I hit my mid-twenties, I wasn’t thinking about health much. I knew that “health is important” but I never needed to worry about it. When I was in secondary school, we’d get an annual health check done so I knew if something major happens — I will know. At the university, I had other stuff to worry about so health didn’t feel like a priority.
Looking back, I realize that there are different stages of maturity when it comes to health.
At first, most of us just don’t bother worrying about it. “Nothing hurts so I am sure I am fine” sounds logical, but it may not be. Most diseases are treatable at their early stages, but the problem is that noticeable symptoms often don’t appear until it’s too late. Hence lies the problem: if you just go by the feeling of health and don’t do regular check-ups, when something becomes an issue, it will likely be too late.
When we start thinking about health, the first instinct is to look for a “magic pill” that can solve all problems. You can often hear people ask “what vitamins or supplements do I need to be healthy?”. The sad thing is — there is a whole industry catering to this need. Pharmacies, websites selling nutritional supplements, multi-level marketing schemes — you name it, everyone is looking to sell you “the one thing you need to be healthy”.
Some people stay at that level, but others realize that they would benefit from professional advice. At this point, some may see a professional with years of experience and a great reputation, while others — an opportunistic “consultant” who just completed a two-week online course as a “nutritionist and health coach”. Seeing the right professional isn’t a magic bullet; if they recommend taking specific steps — it’s important to actually do it.
Few people develop an understanding of fundamentals and build a lifestyle designed to maximize their chances to live a long, balanced life. Most of those who think about health do so once or twice a year (before the beach season and right after the New Year).
Health is all about fundamentals. You cannot stay healthy long-term unless you pay attention to the multitude of components that all affect your well-being, including:
Sleep (quality, quantity, etc.)
Food (quality, quantity, nutritional value, variety, etc.)
Exercise (strength, cardio, flexibility, etc.)
Habits (smoking, drinking, etc.)
Social connection (sense of connection, sense of belonging, etc)
These are building blocks, and you cannot focus on a single one at the expense of the rest.
Some people turn to technology hoping that “an app” is going to keep them healthy. It’s all the same need for a “magic pill” but in a digital form. The truth of the matter is that:
Magic pills don’t exist. Some pills can help treat a disease, and these have to be administered by people who know what they are doing, in quantities that are not going to harm other organs, and with consideration of other medication a person might be taking and their pre-existing conditions.
Magic tools don’t exist either. I don’t track my sleep, but I go to bed consistently and sleep for about 8 hours. I am probably better off than someone who sleeps with an apple watch but doesn’t have good sleep hygiene.
Right tools can help, but you need to know when to use them, how to use them well, and what their gaps are. I track my food intake with MyFitnessPal, and until recently I would follow the goal for the calories intake the app would set for me. After talking to my dietitian, I learned that the app continuously overestimates the number of calories burned when exercising so I am better off following the goal she sets for me based on my habits, exercise, and lifestyle (which ended up being a few hundred calories lower).
At any point, I will choose to trust a professional with the right tool that helps them make better decisions and eliminate mistakes, over an AI-powered app that promises to “keep me healthy”. At least for now.
Tools don’t replace the understanding of fundamentals. The same MyFitnessPal app I am using tells me most days a week that I don’t get enough vitamin A. It wasn’t programmed to know that vitamins A, D, E, and K, are stored in the liver and the body’s fatty tissues when you consume more than you need. You don’t have to get them every day, and, in some cases, you can live weeks before stores are depleted.
There are no shortcuts — holistic health requires you to take care of all the fundamental elements. Most importantly, it is highly personal and requires an ongoing effort.
100% health does not exist, and neither you should be trying to attain it. Do what needs to be done to be in a good shape, schedule regular assessments (better yet — continuous monitoring) to spot any deviations from the norm early, and be prepared to deal with issues when they happen (have good health insurance). It’s not a question of if you will need it, it’s a question of when.
I think the parallels with security are obvious so I will spare you from reading about it in detail.
Problems emerging from the introduction of new technologies demand both creative and analytic thinking. While no one metaphor can fully reflect the complexity of cybersecurity governance and technical measures that need to be put in place to secure an organization, organizations might benefit by talking more about system “health” and less about the latest “attack” in their effort to strengthen security.
Abstracting the complexity of security with the use of metaphors is helpful when trying to explain complex systems and relationships at a very high level. However, when doing so, it’s important to understand the limitations and potential issues with using this approach for decision-making.
And, if you are going to use a metaphor to explain cybersecurity, I hope you will consider using my favorite one.