Are cybersecurity pros their own worst enemy? -TEISS® : Cracking Cyber Security
The older and more educated we get, the more we forget how we used to perceive and interpret the world around us. I use an embarrassing personal story to illustrate how a senior colleague’s perfectly sound warning can come across as meaningless gibberish to an innocent and inexperienced junior colleague.
It’s accepted as fact that we cybersecurity people have a bad habit of confusing and alienating our users. I’ve been hearing it said since Windows NT was new, and very little has changed since.
The abiding perception is that security boffins are – by necessity – so over-educated in our technical discipline that we’re incapable of communicating effectively with ‘normal’ people. That’s … well … exaggerated. It’s not, however, wrong. Sometimes we can be our own worst enemies.
I’ve spent years studying this problem, and I largely attribute it to people’s natural inability to remember how they used to define terms and concepts before their understanding was broadened through education, training, and experience. Every time a person ‘levels up’ from one maturity level to the next-higher, the new terms and definitions that they learn tend to ‘overwrite’ the terms and definitions that had served them previously. That makes sense; a rational person wants to use the best possible information to make decisions. There’s little value in keeping inaccurate or incomplete terms in memory when those terms no longer serve a practical purpose.
The problem with that approach is that the people we support – our users – don’t all ‘level up’ alongside us. They often still use language and work from concepts that we in the Security world have long-since abandoned. So, we increasingly talk past our users rather than to them. That practice leads to confusion, misunderstanding, and (occasionally) resentment. Not the right way to warn people about hazards and countermeasures.
By way of example, I offer you a story centred on me being a gormless idiot. 
If I ever publish an autobiography, it’ll most likely be shelved under ‘comedy’ and Adam Sandler will option the film rights for it.
For my 6th birthday, I was taken to visit my grandmother across town for an overnight visit. Looking back on it, my parents probably gave themselves a birthday present by getting a noisy little twit out of the house for an evening, but that’s immaterial. To my mostly-still-five-year-old brain, a chance to go see Grandma was a treat. We didn’t have videogames back then; simpler times, etc.
This was a relatively new experience, as I recall, since my family had only recently relocated to my grandmother’s home town. Does that matter? Yes. I’d been to my grandmother’s house before, but I wasn’t familiar with it. I didn’t know, for example, that her house was heated in the winter through ducting set under the floor (unlike modern American houses where most of our ducting is installed in the ceiling). We’d moved to Grandma’s town from Michigan, a wintery state up near distant Canada where most household heating (in my limited experience) was handled by old-fashioned radiators.
This meant that my still-for-all-practical-purposes-five-year-old brain was well-trained to recognize radiators as a source of pain. I knew what they looked like. I knew what they felt like when they active. Most importantly, I knew to stay well away from them. I did not know what the heck ‘floor vents’ were. Those didn’t exist in my mental model of ‘how houses work,’ and I wasn’t at the stage where I could logically extrapolate facts about home construction.
I’d been warned to watch out for ‘vents’ in Grandma’s house during previous visits. I’d even noticed one in her living room, but I’d only been near it during summer. Yes, I knew that it was a peculiar metal grid-thingy on her otherwise-carpeted floor; beyond that, I didn’t know or care what it was there for … or what it could do.
Come to think of it, I don’t recall having encountered an outdoor barbeque grill until years after that floor vent encounter. That association would probably have registered.
You can see where this is going, right? Right. So could my parents. They’d properly warned me to ‘stay away from the vents’ but their words didn’t register with me because not-really-six-year-old me couldn’t conceive of those silly little grid-thingies being important. What I heard was a meaningless and arbitrary prohibition … which I immediately ignored.
Later that evening, I was running pell-mell around Grandma’s living room having an absolute blast. I’d taken my shoes off (as instructed, so that I didn’t get mud on her fine carpet). I’d gone sockless for some reason, too, which seems like an odd thing to do in the winter, but … still-near-as-makes-no-difference-five-year-old me didn’t seem to mind.
During my loops around the living room, Grandma warned me repeatedly to ‘Be careful around the vent!’ The message didn’t register any of the times that she said it. What she meant to communicate was ‘Since it’s winter, my furnace is on. That means some really hot air is coming into this room through that floor grate. The hot air heats up the metal grid. Metal retains heat. If you step on that grate with your bare foot, you’ll burn yourself something awful and it’ll hurt a lot.
So, stay a good distance away from the grate!’ Sound advice, that. What dumb-as-a-hammer-just-that-morning-turned-six-year-old me heard, on the other hand, was something like ‘Don’t trip on metal vent. If you trip, you’ll fall and falling can hurt.’
I won’t draw out the scene any further. I ran through the room, saw that I was on an interception course with the floor vent, made sure that I’d step on it squarely so that I didn’t trip and fall (per Grandma’s instructions!) … and burned the ever-loving heck out of my unprotected sole. It wasn’t quite ‘hissing of grilled fajita meat’ dramatic, but I made up for that with some of the best stuck-in-a bear-trap howling that a just-promoted-to-six-year-old imp can manage.
I got grilled the next morning  about why I’d disobeyed Grandma. We worked out the usual I-heard-what-you-said-but-didn’t-grasp-what-you-meant error and realized that simply naming a thing (like ‘the vent’) doesn’t convey any relevant context or actionable threat information to someone that isn’t familiar with said thing. Further, counting on an inexperienced listener to extrapolate meaning from environmental clues alone is unrealistic. Especially when he just turned six the day before.
I did get a styling improvised crutch out of the experience, so there’s that.
How does this story pertain to Security Awareness? Replace the ‘heating vent’ idea with ‘hyperlink,’ the ‘don’t step’ warning with ‘don’t click,’ and the ‘roaring furnace heat’ threat with ‘cross-site scripting’ and you have yourself a perfectly normal – and equally useless – warning from the security department down to an end user. The result is the same. You holler at your users Don’t do the thing! and – unsurprisingly – many of your users hear something completely different. Instead of changing their behaviour, you’ve only confused them. They’re no less likely to get tricked by a clever phishing attack. If anything, you wasted your users’ time and possibly made some of them resent you. Not the desired end-state, is it?
I’m not suggesting that you treat your users like they’re just-turned-six-year-olds. That’s bloody condescending and inappropriate. Rather, I am suggesting that you tailor your security warnings and instructions to suit your audience’s work experience, level of technical sophistication, and familiarity with security foundations. Don’t ever assume that the people you’re responsible for have the same working dictionary that you and your engineers do. Give your people the mental models and analogies that they need to establish a working context for your warnings.
More importantly, ask a small sample population of your users to explain your warnings to you in order confirm that they actually understood what you were trying convey. Odds are, what your users heard is not what you intended. Rather than get frustrated, figure out what’s missing from the explanation, re-work your pitch, and go try again. Make sure that your people understand your core message accurately before they’re let loose to run fearlessly onto their own metaphorical sizzling-hot floor grate.
 For my Security Awareness brethren: self-deprecating true stories can be a great way to convey new ideas to your users. They don’t embarrass anyone but you so they’re non-threatening. More importantly, people are far more likely to remember and share them (if they’re funny).
 Pun very much intended, thank you.