Our words matter.
It’s an interesting statement for the cybersecurity profession, isn’t it? But it’s true. Technical skills are necessary, as are discipline, curiosity, and good character. And so are our words: they frame the context of our cybersecurity goals.
Researchers Kimblurg-Wities and Wentland, analyzing the language used to discuss socially engineered cybersecurity attacks, find that “in most accounts, hackers were portrayed as criminals who are threatening organizations, though often with a certain admiration of their smartness, dauntlessness, and innovative methods. The employees who could not prevent being attacked, in turn, were framed as naive and even as the bigger risk.”[i] Of the three narratives they found and highlighted, users were either 1) ignorant and in need of expert assistance to avoid cybersecurity disaster, 2) victims of unavoidable cybersecurity disaster that even experts fall prey to, or 3) flawed but fixable…and if not fixable, fireable. While these narratives may go a long way in emphasizing the need for cyber professionals, that’s all they do.
Cybersecurity professionals are needed, but our use of language is creating an impossible dilemma in cybersecurity: professionals need employees, really all end-users, to have self-efficacy: the belief that they can maintain healthy cyber practices and protect their businesses. Yet somehow, we try to accomplish this by telling them that they can’t maintain healthy cyber practices without help. Sure, it may sell products. But it doesn’t help cybersecurity in the long run. Even the third option, ‘flawed but fixable…or fireable,’ which at first seems fairly realistic (if we weren’t flawed, there would never be mistakes of any kind) still is tinged with an expectation that an expert is needed to fix the flaws. Yes, cybersecurity professionals are needed for penetration testing, patching, and for any number of technical issues relating to data privacy and protection. Cybersecurity professionals are not required for self-efficacy, however. That can only be accomplished by the individual. Regardless of what makes a good selling point, as cybersecurity professionals (or future cybersecurity professionals) let us remember one thing: our words matter. The way we build our cybersecurity narrative dictates what our customers and community believe is possible in cybersecurity.
It is possible to maintain good cybersecurity practices, without expensive expertise. It is possible to change habits and organizational culture to protect our data. It’s why we believe so strongly in hosting our free lunch and learns—not because the expert is needed to make organizations enact change, but because the basics and fundamentals are incredibly easy to access and implement. We believe in self-efficacy, and you can too.
[i] Klimburg-Witjes, N., & Wentland, A. (2021). Hacking Humans? Social Engineering and the Construction of the “Deficient User” in Cybersecurity Discourses. Science, Technology, & Human Values, 46(6), 1316–1339. https://doi.org/10.1177/0162243921992844