The Analogies Project – Giving us time to evolve our cyber senses….

I am pleased to have been able to contribute to the  Analogies Project once again. For those who have not come across it, this is an exciting initiative set up by Bruce Hallasto help demystify information security and its component parts.

The Analogies Project has a clear mission: To tackle the unintelligibility of information security head on and secure the engagement of a much broader audience. Its aim is to bridge the chasm between the users, stakeholders and beneficiaries of information security and those responsible for delivering it.
Through a series of innovative initiatives the Analogies Project will enable information security professionals to effectively communicate with their chosen audiences. The content will be delivered through a variety of alternative communication techniques, media and partners.  (Analogies Project)
This has added to previous contributions so the list now stands as follows:

For me the challenge that we face lies in the fact that in its native form, the cyber environment is intangible and invisible to human beings without the aid of tools.  This means that the senses that we have evolved so successfully to defend ourselves over millennia are unable to help us without complex tools to translate what is going on for us.   Our brains are not naturally tuned to deal with this environment.

In short, we have created a technological environment that we have not yet evolved, as a species, to survive in without help.

Simplistically, this is one of the reason why so many surprisingly poor decisions are made by otherwise sensible and often wise people (most security breaches are the result of one or more decisions made at some level, often in good faith, by people at some stage in a system lifecycle).   Most in the industry know that really good cyber operatives cannot be trained to be effective at anything more than a baseline level – they do need to be trained – but this is not enough.   They only become really good through intense experience and ongoing practice.  As an example, a really good penetration tester, consultant, log analyst or forensic investigator develops a 6th (or should that be 7th) sense which enables them to sense a problem or issue before they actually find it.  It is this instinct which enables those at the top of their game to sense what goes on.  Most of us don’t have this – as we spend most of our lives doing other things.

For the rest of us, it is merely important to acknowledge areas where we are vulnerable and attempt to manage them in as pragmatic a way as possible.  This is where the power of the analogy can be critical.  If we can equate security events to tangible and visible situations that we have the experience and ability to manage, we can go some way to engaging the incredibly powerful survival and risk management skills that we, as human beings, have evolved over millennia.

The Human Race have been fighting wars, farming and dancing (amongst other things) for millennia – and we have (in some cases) become pretty good at them.  I speak generically (knowing that there are many people reading this who may have issues with my assertion that their fathers are competent dancers!!).

If we can engage some of the native skills that we have evolved over generations and deploy them in this new and difficult environment, then we might just make our lives easier and safer.   For me, this is the point of the Analogies project and why I am thrilled to invest valuable time in supporting it.

These are pretty wide ranging in context though most have been used in client or public facing situations, to explain aspects of Information and Cyber security to people who have other priorities.For me, the principal challenge for for all of us working in this area is to enable everyone to play their part in the information security battle – and yes, we all have a part to play!  Contrary to initial appearances, It doesn’t need to be difficult, much of the time it is simply about understanding what is going on around us.

It will be interesting to see whether future generations develop a more intuitive understanding of information and cyber risk – only time will tell.  I suspect there is much scope here for those scions of the academic community to conduct extensive protracted research into this area(!)

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

Posted 5 years ago on · Permalink