The New School of Information Security

In this chapter excerpt from "The New School of Information Security," authors Adam Shostack and Andrew Stewart explain why the use and abuse of security language calls for a fresh and innovative way of thinking.

The following is an excerpt from the book, The New School of Information Security . In this section of Chapter 7: Life in the New School (.pdf), authors Adam Shostack and Andrew Stewart explain why a fresh and innovative way of thinking is the only way to truly address today's information security challenges.

The Use and Abuse of Language

The New School of Information Security

Authors: Adam Shostack and Andrew Stewart

Official Addison-Wesley book page
A great many of the words we use when discussing security, including trust, threat, risk, safety, privacy, and security, can have multiple meanings. Each is evocative and carries with it cultural baggage. We often find ourselves talking past each other because of the inexact nature of these terms. This is not an argument for prescriptivism in language. Languages are successful when and because they are vibrant means of communication. If we can think and speak clearly, we can do so in spite of imprecise terms. If we can't think clearly, having precisely defined terms won't help us.

Describing a product as "secure" reinforces the fallacy that security is somehow a binary value... That kind of black-and-white distinction works with, say, pregnancy, but not for security.
Language can be abused, and it is abused. Chapter 2 discussed some of the sales tactics used within the commercial information security industry. Describing a product as "secure" reinforces the fallacy that security is somehow a binary value—that something can be either "secure" or not. That kind of black-and-white distinction works with, say, pregnancy, but not for security. Without active intervention, the security of a computer system degrades over time. This happens because new vulnerabilities emerge that can affect it, and because of a process akin to natural decay in which operational changes become security issues. Something that is "secure" can at the most only be said to be "secure right now." What is "secure" today is unlikely to be "secure" tomorrow. Another example is referring to certain security architectures as having an "assured" security model. In fact, no security can unequivocally be "assured." In cryptography, a debate is raging over the use of the term "proven," for much the same reasons.

Some security practitioners understand that when they refer to something as "secure," they are implicitly including an unstated corollary of "...depending on this, that, and the other thing." Trying to define this, that, and the other thing—the external factors on which the security depends—is a game of infinite regression. The term "secure" might be seen as a simplification to cope with the situation's inherent complexity. This abstraction makes it easier for people to function practically in their jobs, but not everyone understands that subtlety. The preceding section discussed the challenge of making a system "secure and usable." We spent quite some time discussing a way to say this without using the word "secure." In the end, we decided to hope that you would see it as an example of a place where "secure" is easier to say, while glossing over underlying complexity.

For more on security lingo

Last year's Gartner IT Security Summit analysts gave this piece of advice to attendees: Learn the language of risk.

Stumped on 'pharming' or other IT buzzwords? Boost your security vocabulary.
Security companies often invent new terms for things. "Pharming" is a name for attacks against the Domain Name System. The meaning of "pharming" is not obvious. That makes it a poor name. The same criticism can be leveled against other terms within security, such as "pretexting." This was the technique used to illegally collect information about the Hewlett-Packard board of directors in 2006. Pretexting is actually "social engineering," which is just another word for lying.

Arguments about terminology have been unresolved for many years, and we will not solve them here. Attempts to create strictly defined vocabulary within information security are likely doomed to failure as long as English remains a living language.

Reproduced from the book The New School of Information Security Copyright [2008], Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other users.
This was last published in May 2008

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.