Governments and security vendors should represent cyber-threats differently, cutting down on hyperbole and overly dramatic language. This was the message from Dr Victoria Baines, visiting research fellow at Oxford University, speaking during IRISCON 2021.
Baines began by discussing her book, Rhetoric of Insecurity, which analyzed the rhetoric and messaging around cybercrime. In this research, she observed that governments, vendors and cyber-criminals frequently use similar approaches when describing cyber-threats to the general public. “What shocked me when I looked at cyber was that criminals, governments and vendors have a tendency to represent cyber-threats in exactly the same way – which is kind of weird when you think about it!”
These revolve around panic-inducing language to gain attention, tapping into emotions like fear and anxiety. Baines gave the example of how the FBI describes cyber-threats, where words like ‘devastating,’ ‘insidious’ and ‘catastrophe’ are used. She noted these words “literally refer to large-scale physical disruption,” which is often misleading.
Additionally, governments, cyber-criminals and vendors tend to make the threat seem immediate, inducing quick actions. For example, cyber-criminals often use phrases like ‘you must click now’ to entice people to click on phishing emails, or a ransomware pop-up screen will say ‘you need to pay us now.’ With vendors, phrases like ‘secure your everything’ are commonly invoked to encourage the purchasing of their product.
Baines also highlighted the kind of imagery that is used in respect of cybercrime. These include faceless hackers, crime scene photos, padlocks and cascading zeros and code. In Baines ' view, this serves to make the issue remote from people who see it as too complex to try and understand. This creates the perception that “you are powerless; there is absolutely nothing you can do about it.”
An advertisement from a cybersecurity vendor was then read out to the audience. This advert portrayed cybersecurity professionals as superheroes, protecting the public from the forces of ‘darkness.’ Baines said this is not helpful for security professionals, as it places unrealistic expectations on their shoulders, including by board members. “We know those expectations are unreasonable and are having harmful effects on the people in the industry,” she outlined. This includes potentially contributing to mental health issues like stress and burnout.
Amid the ongoing COVID-19 crisis, Baines also pleaded for the industry to avoid the temptation to exploit this situation to induce fear in the public and sell products. She highlighted a recent report entitled ‘Preparing for the Next Global Crisis – A Cyber Pandemic,’ an unsuitable and inaccurate analogy. “All this does is get people to buy things,” added Baines.
However, she does believe lessons from the pandemic can be used to strengthen cybersecurity throughout society. This revolves around the public health approach of invoking a sense of community and sacrifice; in COVID-19, this was staying at home to protect the elderly and vulnerable. In the cyber realm, this can translate to adopting more secure behaviors to help protect the digital world at large. “Rather than harnessing people’s fear, we can harness people’s sense of civic and community responsibility,” stated Baines.