2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Are bad analogies killing your security training program?

Are bad analogies killing your security training program>
CSO, from IDG – J.M. Porup
The communications barrier security professionals face is not unique, even in recent history, he says, and we can learn a lot from how Steve Jobs used analogies. “Before Jobs introduced the Mac in 1984, computers were alien and inaccessible to the vast majority of people,” he points out. “Steve Jobs used the analogy of the desktop, and friendly digital icons of tools that people already knew how to use â documents, folders, scissors, trash cans, and so forth….and that interface suddenly enabled millions of people to use computers.”

Jobs didn’t invent the analogy, of course. Xerox PARC did, but Jobs recognized the potential of the analogy and used it to design the first commercially successful personal computer with a desktop interface: the Apple Macintosh. The librarians weren’t getting it, Hallas says. Why should we care about backups. What’s the big deal. Why all the fuss. That’s when, he says, the security trainer pulled out the big guns: an analogy that would get their attention, was targeted to the audience, and motivated the audience to care. The Library of Alexandria, the trainer said, was one of the great wonders of the ancient world, and all was lost because the library didn’t have backups. Jaws dropped open. The librarians got it. That’s the power of analogy, Hallas says. No analogy is perfect, and taking any analogy or metaphor too literally will turn out badly. Pollack cites the example of the “three strikes and you’re out” mandatory sentencing guidelines common in the U.S. criminal justice system, which puts many non-violent offenders behind bars for life.

Analogies are meant to enlighten, he says, but should not be taken as gospel. That’s why training audiences to think critically about analogies is as important as finding the right security analogies for that audience. One way to do that is to use multiple security analogies at the same time. No analogy is perfect, and taking any analogy or metaphor too literally will turn out badly. Pollack cites the example of the “three strikes and you’re out” mandatory sentencing guidelines common in the U.S. criminal justice system, which puts many non-violent offenders behind bars for life.

Hallas’s Analogies Project is doing that just by collecting analogies, metaphors and stories that help enlighten non-technical audiences about information security. “One of the things about the Analogy Project is to get as many people as possible finding security stories in everyday life around them,” he says. “Is [a given analogy] an accurate reflection of information security. Does it matter. Now you’ve got their attention. That’s a real problem we face, just getting attention.” Security professionals tend to come from strong technical backgrounds, with less experience in people management and other “soft skills.” However, since security training has the potential to increase an organization’s security posture significantly, Hallas wonders aloud if the way we educate and certify security professionals may be flawed.
Link: https://www.csoonline.com/article/3250089/security-awareness/are-bad-analogies-are-killing-your-security-training-program.html

Categories:

Tags: