Photo Credit: NASA Goddard Photo and Video via Compfight cc
Have you noticed how much information security has in common with weather forecasting?
Let me explain the connection under four headings; warnings, ignorance, language and unexpected results.
Recently there was a very serious weather event in Mexico and the government warned their people of what were to be some of the highest wind speeds ever recorded at the heart of a hurricane. This meant the impact would be immense, but also very localised as this high wind speed was in a very small cone. When we see a problem coming in Information Security, we warn the public, but are we specific enough about the consequences and the actions to take? Do we ever really make it clear how bad the impact will be and where it is likely to hit? If we get these elements wrong, we become the man who cried wolf and this leads us to the second issue of ignorance.
I am of course being selective with the use of English, as by this I mean people ignoring the warnings that are given. First, a general warning with no impact will not raise people’s attention. As they say in America, it will not appear on their radar. Secondly, if we get it wrong, predict disaster and nothing happens, then the next time a problem is detected, it is unlikely it will even rate a mention in the news or have any noticeable impact on the users themselves.
Now, one of the strong messages of the Analogies Project is to move away from using jargon. If I told you there was a cirrocumulus front of 1050 barometric pressure about to hit your town, you would probably switch radio stations or channel and look for someone to tell you if it was going to rain and how warm it was going to be.
Let’s be frank, users don’t know a DDOS attack from a Trojan, or a social engineering attack from the use of a rainbow table. They do know they need a long password with capital letters, special characters and numbers, and to change it regularly, and not to give out personal details on the phone. Simple messages are more effective. This is doubly so when presenting to C-suite execs who know only as much as they have read in the FT, City A.M. or heard on the Today programme that morning. Stick to simple cause-and-effect, and keep the detail in your back pocket in case they want to drill down.
Finally, let’s talk about unexpected consequences. During that recent hurricane, the warning that was given initially was for incredibly high winds. However, once the eye of the storm hit the mountains, the cone dissipated and the winds slowed to a category 2 storm. All good? No, all bad. Unfortunately, this slowing of the storm and the rising of the ground level meant that the end result was a massive fall of rain which locally caused mudslides and flooding and the impact was felt as far away as Texas for the Formula 1 Grand Prix. In InfoSec speak, yes, be specific if you know the payload, but awareness of specific attack vectors is nowhere near as helpful as knowledge of general principles for personal and professional protection.
We need to make our people good at weathering all forms of storm, not just the hurricane when it comes.