Is Cyber Security simple?
When you read anything about security, security awareness or training, a lot of the messaging will tell you it’s easy or simple. “just do these things to be secure!” but is it true and why do we use those words?
I work in the world of Cyber Security and have done for almost 10yrs. My area of interest and expertise is in trying to understand how people interact with and engage with security. To be considerate of the multi faceted approach many put in place to fit cyber security into their life. Part, if not all of that job is to think; is what you expect possible? does it make sense? and does it fit into peoples every day life?
I am known for being quite challenging. In a helpful manner, by testing assumptions and asking questions. I have know many people across security in particular who want change things. Yet, I am perplexed with the volume of content created within Cyber Security that is obsessed with particular words and language.
The words that stand out to me are EASY and SIMPLE. We constantly tell people that the cyber world can be boiled down into these simple or easy steps. If you only were to do these simple things you would be secure. But we all know that isn’t true. Security messaging has become so integrated into our society that we see jokes and TikTok videos picking fun at the fact that the messages we give actually don’t make sense or they are confusing. But yet, we imply ‘come on, it’s easy’.
So where does this issue come from? What I have experienced through my career is a constant mismatch. Between those wanting to translate security into something for people, in conflict with the constant drive for behaviour change and metrics (I will leave my thinking on this for another time). The end goal of comms or security training is the belief you can just change behaviour, without really giving any thought to what that statement means. What it does it imply, how long it takes and are you really considering the people in this. It’s often a bland statement such as, ‘we will change peoples behaviour and the culture in the process’. But this is a big claim, that takes real strategic long term planning and thinking. The odd message telling people “its simple, just update your devices” really is not having the impact people think it’s having.
The reason I say this is because as a profession we believe we can boil everything down to the idea of simple or easy. As if that is a motivator, but it’s not, we know it’s not. We know that people don’t enjoy talking about security that much and often struggle to implement many of the solutions that we claim will solve all problems. We also know security is not perfect and we mix and match our own approaches to fit our own security wants and needs. So are we really painting a true picture of cyber security?
I always ask myself, why can’t we be more considerate of others? Is it that security professionals are unwilling to admit it’s actually quite hard or do people truly believe that because it’s easy for them, it must be easy for others.
I can discuss this topic for hours and hours. But I want to leave you with a couple of thoughts. Security isn’t meant to be for security professionals, it’s not there to make us feel better, it’s there for other people. It’s there to support people or an organisations goals, either in the background with technology solutions to hopefully help keep people safe or some form of training or comms to support them feel safe with some words and actions they can really do.
Telling people something is easy, doesn’t make it easy. It doesn’t build capability or knowledge.
An example; the idea of updating. Is that really as easy as often implied? Truly is that an easy task for most people to do. Or does it always require some thought, considerations, time and understanding of what could happen once updated. Decisions have to be made, so; can my phone update, or is it old? I don’t have any space left, what should I get rid of? If I update now will it change some features I like? I can’t update now I am doing something else and its a distraction. These are just a handful of questions people have and decisions they go through before updating. Don’t even get me started on the issues of telling people to update when they are working inside a managed infrastructure and the lack all control they actually have to perform actions. That is just one piece of advice, can you imagine the questions when setting up 2FA which isn’t even called the same thing across each service.
So we have to be a lot more realistic in our expectations, a lot more considerate with our language. If we don’t we will always fall back to believing things are easy and its everyone else’s problem they can’t be secure. Always looking to think, we have done enough and pushing things over a wall without thinking of the ramifications. But we can do better we should strive to do better. Our job is supporting people and translating work into something that people can actually do, to help them feel confident enough to take part and then perform the action. With the idea of building confidence and capabilities in people.
Our job is not to stand looking at others from our high hill hoping some day they will come visit. Because they won’t, they don’t, they are busy people with other things going on in their lives. So how do we bring ourselves to people in a useful way? How do we stop ourselves making random lists and declarations of actions that are actually difficult, awkward and not straight forward to implement. Instead of declaring they are easy, move to a place where people can relate to what they are being told (I don’t mean care, that’s entirely new post), that this information is concise, its helpful, it will improve their security and improve their protection. But finally this isn’t about making them into security experts either, how do we fit into their worlds better and listen to what they have to say.