Lessons from pest control: Why the popular metaphors in cybersecurity are broken
To many people, cybersecurity is highly abstract stuff. So it is no surprise that, when talking about cybersecurity, people use all kinds of metaphors and analogies.
These analogies help to make the subject more vivid, but inappropriate analogies can give rise to an inaccurate understanding of the topic. And the cybersecurity field is struggling with a lot of misconceptions. So, what’s wrong with the metaphors used in this field?
It almost seems natural to frame cybersecurity issues in terms of war. People talk of cyber-attacks, cyber defenses, cyber terrorists and even cyber soldiers. Attack maps like this one portray attack data as colored laser beams shooting back and forth, resembling battles from science-fiction movies. And often, news articles about cyber security are accompanied by stock images depicting shields and swords, or hand grenades made from keyboard keys.
Next to the war metaphor, there is the burglary metaphor. Locks, keys and vaults, (things that keep belongings safe from burglars) are among the most common symbols used in cybersecurity. Cyber criminals are said to ‘break into’ computer networks. Stock images depict cybercriminals as classical burglars, in a burglar outfit, complete with a black balaclava or cartoony bandit mask.
These two metaphors have a few important aspects in common. War and burglary are both pretty heavy stuff. They are enemy invasions. They are violent. Vivid images of trashed living rooms and invading armies come to mind. These analogies play on our most basic emotions. They probably are very successful in getting people to take notice.
But these analogies also further a certain way of thinking, which may be at the root of many misconceptions in cybersecurity.
Stock images depict cybercriminals as classical burglars, in a burglar outfit, complete with a black balaclava or cartoony bandit mask
The concept you have of the nature of an attack has consequences for the strategy you choose to defend against it. If you think of cyber-attacks as an enemy invasion, you will put all you energy in keeping the enemy out. You don’t want a house that’s only a 99% burglar-free. One break-in is all it takes to trash your house and make you feel scared in your own home. So you’ll build walls, buy locks, and guard your entrances. You will feel safe and protected behind these walls. You won’t feel the need to check your rooms for the presence of burglars all the time, because they aren’t supposed to be there (and if they are, you will find out soon enough!).
And indeed, many companies seem to follow this pattern. They heavily invest in firewalls, software and security people. They then almost blindly trust these ‘walls’ to keep their network safe from outside invasions.
But this ‘invasion’ concept of cyber-attacks is very far from daily reality. That one big attack, aimed at you and your base is the exception, not the rule.
The concept you have of the nature of an attack has consequences for the strategy you choose to defend against it
Instead, computer networks face an ongoing stream of smaller attacks, the bulk of these not being ‘invasion-like’ at all. Phishing mails and malware are often released with no specific target in mind. They serve all kinds of malicious purposes, some of which may have nothing to do with the particular network they are infecting. But there are a lot of attacks and attackers out there, and they are constantly looking for holes to get in. With such a constant stream of attacks, it is simply impossible to keep everything out. There will always be something that manages to sneak past the firewall.
The war analogy and the burglar analogy do not seem to capture this reality very well.
Yes, you are attacked, but (most of the time) not by dedicated human enemies like soldiers or burglars. The majority of cyber-attacks are akin to pests. Like primitive creatures, they randomly swarm around, attacking every food source they can find. They are not necessarily interested in emptying your vault, but they may steal your food supplies, build a huge nest in your garage or give you some very nasty diseases, so they can do quite some damage.
Even if you are the victim of a targeted hack, often, it won’t be anything like a ‘real’ invasion. You most likely won’t find a trashed house or armed strangers standing in your living room, scaring the living daylights out of you. Probably, you won’t even notice that something is wrong. It’s like a very sneaky pest infestation; it takes the trained eye of a professional to see what’s going on.
So there’s the problem. If you think in terms of blunt force, of soldiers and burglars, while it’s actually sneaky pests you’re up against, your defense strategies probably won’t be very successful. The metaphor of pest control might be a much better guide for thinking about cybersecurity. What lessons for cyber security can be learned from people who deal with pests?
1: People who deal with pests are well aware of the fact that a 100% safety does not exist
Everyone who ever had mice in their kitchen knows that, no matter how many holes you find and close, there will always be that one hole that you didn’t think of. There is a lot you can do to keep most of the pests out, but it is simply impossible to stop them all. Good enough is good enough here. Striving to a 100% safety is a waste of energy.
2: They focus on minimizing the damage instead
If something manages to slip past the firewall, that’s often not the end of the world. Remember, you’re mostly dealing with pests here, not with an armed enemy invasion. All that matters is whether you catch the pest in time, before it does any major damage.
3: They defend their house, on the outside and on the inside
When you know that a 100% pest-free building does not exist, you also know that it’s not smart to rely on the outside walls only. You always assume that something probably managed to get in. So next to closing entrance holes in your walls, you also place traps inside the house and lock away your food in metal bins. In a same vein, blindly trusting your state-of-the-art firewall isn’t enough to protect your computer network. The network needs protection from threats on the inside too.
4: They know that pest control requires an ongoing effort
Tiny rodents and insects are in some respects, much more of a headache than human burglars. Not only is it easier for pests to get in your house than it is for humans, it is also much more difficult for you to detect their presence. If you want to protect your stuff from bugs, you’ll have to actively keep monitoring your house for sings of their presence.
If it were for burglars, a one-time investment in some high-quality doors and locks would, (in most cases) do the trick just fine. When it comes to computer networks, a one-time investment in security software won’t do the trick ‘just fine’, considering the many pests there are out there. Keeping a network secure requires an ongoing effort.
So maybe, it is time to do away with the old war and burglary metaphors. These metaphors may have had their use, especially when it came to grabbing people’s attention for cybersecurity issues. But they are also the source of many myths and misconceptions. The pest control metaphor may be a much better reflection of how most cyber-attacks actually happen. And bugs can be pretty creepy too…
Do you agree that the popular metaphors in cybersecurity are unhelpful? And do you think that a ‘pest metaphor’ is more appropriate?