The Slippery Slope of Cybersecurity Analogies

Josiah Dykstra

Cybersecurity is rich with analogies, from keys and locks to Trojan horses. We look for the “needle in the haystack” and “evict malware resident on our systems.” We debate “baked-in” versus “bolted-on” security. We do not mean all these things literally, of course. The language and analogies we use in this field are borrowed from many different domains. Analogies can help explain basic cybersecurity concepts, but too often they omit or overgeneralize important details. They can mislead, sometimes deliberately, because the experience they purport to connect might be out of proportion. Despite their shortcoming and imprecision, using an analogy or an abstraction might be helpful in appropriate situations. Using analogies, abstractions, and metaphors shapes technology’s development, practice, and policies. The analogies are more than simple figures of speech. They have a normative dimension; sometimes, they can be used to help the imaginary shape reality. This talk explores the use and misuse of analogies and metaphors across cybersecurity. We consider analogies from the physical world, medicine and biology, war and military, and law before discussing tips for avoiding pitfalls in using analogies and metaphors.

View the full Enigma 2023 program at https://www.usenix.org/conference/eni...