Why do people fail to address security issues? We use the word “technophobe” to describe people who are leery and sometimes fearful of technology, but this is a misleading over-generalization. I believe there is another issue at work.
We use highly specialized language, or lingo, in many areas, including information security. To anyone not familiar with this area, the language can be alienating. But even the “plain language” we use can be unintentionally off-putting.
Language influences the way we think, whether we like (or even realize) it or not. Influencing the way an issue is perceived often becomes an exercise in semantics. Years ago, a study was done that looked at the effect of language on people’s perceptions. When different words – “hit” versus “smash”, for example – were used to describe the scene, observers changed their evaluation of how fast a car was traveling when it impacted an object. This study showed quite clearly how language affects even such “objective” perceptions.
But how does this impact our work as security professionals? How does this knowledge improve (or make worse) the process for our clients, our colleagues, and ourselves? Understanding the impact of language on our perceptions of our world, then, is one key to helping others become more willing participants in the security process. But more specifically, how does language prevent people from fully participating in the process?
One deceptively innocuous way is through the use of the word “data” to refer to the information we’re protecting. Clients are often told that part of their job is to “protect data”. The problem with that is with the connotation of data as cold, distant, and impersonal. It probably doesn’t help that Data is also the name of a character that’s an artificial life form on the Star Trek television series: Cold, distant, and impersonal. Data are abstract; they’re meaningless to people’s everyday lives. After all, outside of the tech world, how often do people use “data” to refer to themselves? Data are numbers and letters in a computer, as meaningless as code to the average, non-tech-oriented person.
Reframe it as “protecting information”, though, and it becomes meaningful. People now feel a connection to what they’re being asked to protect. Thus, they assign it a value. Things that are abstract and unknowable have no real value to people; but information is something they feel a connection to. It’s something they can understand, something they can perceive value in. Given the choice (or even if they’re not given the choice), people will not spend their time (which also has value) protecting something they perceive as valueless. And therein lies one of the major dilemmas in information security. Ask someone to protect something that they see as valuable, and they will probably do it even if they don’t receive an immediate reward. Ask the same people to protect something they see as having no value, and their desire to protect it drops dramatically, regardless of the reward you offer them.
Additionally, “data” implies it’s a computer issue, something for the tech department to worry about. It’s “not my job”, but rather part of the mysterious, unknowable (for most) world behind the door marked “IT”. People feel they have enough work to do as it is; if they think they need to learn something more (and a highly technical skill set at that), they’ll resist. So they distance themselves. Information, though, is everyone’s responsibility, regardless of position or department. Everyone manages some sort of information, no matter who they are in the organization.
Language can connect us; it can make us part of the process in ways nothing else can. We need to be aware when we use language that isolates people from the process. Small changes, such as moving from using the word “data” to the word “information” to describe what we’re asking people to protect, might seem a ridiculously insignificant step. But it might be the first step in helping our clients see information security as everyone’s job, and themselves as valuable participants in the process.