Photo by Sir Jester
At Bsides London 2016, I gave a presentation on a topic I’ve been thinking about for a long time: why we should embrace the term ‘cyber’.
There’s a tendency for the industry to roll its collective eyes at the term cyber. There’s an unwritten rule that it’s not credible, that it’s a buzzword which means nothing and is used by people who don’t really belong in the field. Actually, it’s not an unwritten rule at all: you see references to it in memes and tweets all the time. Obviously as someone who describes herself as a ‘cyber security consultant’ and publishes on this domain name, I don’t prescribe to that view. I wanted to speak at bsides about why, and why I would like more people in the industry to consider embracing cyber, too.
We have many terms for what we do. Information security, cyber security, information assurance, data security, IT security; the list goes on. While they all technically have their own definitions, as consulting NIST will confirm, we often use them interchangeably. In different contexts and speaking to different people, the terms get muddied and even contradict themselves. Only one of the terms is in the dictionary:
Words go in the dictionary when they’re used a lot. Only one of the different terms that we use to describe what we do has gained enough traction outside of our industry to go in the dictionary.
The history of cyber
Cyber is perceived to be a pretty new word, and is often accused of being a word which means nothing. In fact, it actually has quite a long heritage:
- In Ancient Greece, the term kubernao was used to mean “steer a ship”
- The Latin kubernetes gives us “cybernetes“
- The Romans turned kubernao into guberno, from which we get “govern”
- Plato used “kubernetika” to mean skill in steering
- In the 1940s the American mathematician Norbert Wiener used “cybernetics” to mean “control and communication theory, whether in the machine or in the animal”
- In the 1980s, William Gibson coined the phrase ‘cyberspace’ in his short story Burning Chrome; it became popular after he used it again in Neuromancer
The association of these terms with cyber and cyber security is obvious to me: cyber security is about governing information, it is about where humans and machines meet.
Survey findings
For the presentation I didn’t want to simply rely on my own assumptions and biases, so I did a couple of surveys to explore the terms which resonate most with people.
To elicit the opinions of my peers, I did a twitter poll. I was relying on the fact that most of my followers work in the industry, and most of their followers – if they retweeted it – probably do, too (according to my twitter analytics, 89% of my followers are interested in tech news, 76% in technology and 67% in network security).
Which of the following terms do you use to mean protecting against hacking and other data loss? (Please RT!)
— Jess (@drjessicabarker) June 6, 2016
The poll got a good response: over 8,000 impressions, 403 votes and a fair bit of discussion. Thanks to everyone who voted in it, commented on it and shared it. The wording of the question is of course open to criticism (it could have been more precise / it could have been more general) and I’m relying on the assumption that most of the people who responded to the poll are involved in, or identify with, the industry. I’m happy with those caveats and feel pretty confident that the poll is a good reflection of the industry, in which most people identify with the term ‘information security’ (over twice as many as ‘cyber security’).
As much as I was interested in the poll results, I was also keen to hear people’s opinions. Some which stood out to me, and summed up what others had to say, were:
@drjessicabarker @CarlGottlieb They all mean the same thing, and different things. That's confusing.
— Chris Ratcliff (@chrisratcliff) June 6, 2016
@chrisratcliff @drjessicabarker Personally I only use cyber when providing headline marketing info, and info/ITsecurity all other times
— Carl Gottlieb (@CarlGottlieb) June 6, 2016
@drjessicabarker As soon as someone uses the term "Cyber" – I instantly stop taking anything that person says seriously
— undefined (@robertmain_) June 6, 2016
@drjessicabarker @StegoPax It seems to me as a hype marketing term that creates a dotcom like #infosec bubble that will eventually burst.
— Not A Security Guru (@NotASecGuru) June 6, 2016
I also did a survey with the UK general public. I asked the same question and got over 700 responses:
So, based on 737 responses, cybersecurity* was the top response. Information security, in contrast to the twitter poll, was the least favourite response. Most tellingly, it was less popular than e-security, which I put in on a bit of a whim (it was omitted from the twitter poll because you can only give four answer options on twitter). I have never heard anyone use the term e-security, so to discover that it was ever-so-slightly more popular with the general public than information security was pretty surprising.
Why does it matter?
If research tells us that the industry and the general public use different terms to refer to the protection of information, does that matter?
I think so.
Language has existed for perhaps 150,000 years, at least 80,000 years – it is mainly used as speech, evolving as we talk. Language changes a lot, from Ye Olde English to textspeak. There are many words we use now which used to mean something completely different. So, for people who resist the use of ‘cyber’ because it meant something altogether different 20 years ago, I would say: that’s the nature of language, it changes. When we say something it is always ambiguous and when people speak, they do so with the intention of being understood by the listener, or perhaps to intimidate and impress. Language relies on mutual understanding and cooperative communicators consider the listener’s assumptions, knowledge and prior experience.
In our industry, we are trying to engage with, and change the behaviours of, individuals, organisations and society. At the micro, meso and macro levels, we want people to listen to us more. We want individuals to better protect themselves, for example with password managers, two factor authentication and taking care of what they post online. We want organisations to be more responsible with the data they are entrusted with, we want them to build security into their products and give us the resources we need to do our jobs. We want the media to understand what we do so that the most important messages are represented, which helps us communicate more effectively with individuals and organisations. We want the law to reflect the realities of our jobs and the challenges we face, and the justice system to punish people intelligently and appropriately (i.e. criminals not researchers). If we truly want those things, then we can’t afford to reinforce silos of communication where everyone speaks a different language and fails to understand one another.
In psychology, heuristics are simple rules of thumb that explain how people make decisions and why they act in a certain way. The fluency heuristic explains that the more clearly, skilfully and elegantly an idea is communicated, the more people will engage with it. The media have embraced cyber. The board has embraced cyber. The public have embraced cyber. Far from being meaningless, it resonates far more effectively than ‘information’ or ‘data’. So, for me, the use of cyber comes down to one question: what is our goal? If our goal is to engage with and educate as broad a range of people as possible, using ‘cyber’ will help us do that. A bridge has been built, and I suggest we use it.
William Gibson has spoken about the process he went through in coining the term cyberspace:
“Data space didn’t work and infospace didn’t work but cyberspace! It sounded like it meant something or it might mean something… My whole delight was that I knew it meant absolutely nothing so I would then be able to specify the rules for the arena”
Cyber is here to stay. We have a choice as an industry whether to keep trying to resist and undermine it, or whether to embrace it, engage with it and start shaping the rules of the arena ourselves. Otherwise, we can continue allowing businesses, governments and the media define it for themselves.
*Notes: I haven’t tackled the fact that sometimes we use ‘cyber security’ as two words and sometimes (and in the dictionary) ‘cybersecurity’ as one word. As a habit, I have always used the term as two words and in the public survey it was a typo / auto-correct error that I compounded them. An interesting thought made by someone at the end of my presentation: ‘information’ and ‘security’ have many meanings and can be applied to many contexts. ‘Cybersecurity’ has one meaning. This seems like a very valid point to me and combined with the fact it’s the term used in the dictionary, is making me think I should compound the words in future.