Cybersecurity that’s easy to understand...Why?

“When surveyed, 44% of Spanish business executives said that they don’t prioritize cybersecurity because they find the language used in that field confusing”. This was the headline of a news story published at Europa Press' website on May 30th, based on a report issued by the Kaspersky cybersecurity firm entitled “Separated by a common language”.  https://go.kaspersky.com/rs/802-IJN-240/images/Kaspersky-Speaks-your-Language-1122.pdf. Although it may seem like an infinite number of studies of this type have already been published, this one caught my eye because it emphasized a subject that can have profound effects on a highly complex technological subject like cybersecurity. Is there a need to democratize this knowledge? Do people really want to receive and assimilate this knowledge? I’m not aware of any general consensus regarding the correct answer to either of those questions.

However, if we do want to democratize cybersecurity knowledge, then there are two types of effort required. The first has to do with understanding a group that wants to protect itself, or defend its territory, by maintaining some sense of exclusivity. If the doors to the field are thrown open too widely, some people could lose some of the special status they have come to enjoy. There is still a certain fondness among those working in the field of cybersecurity for the “obsolete” paradigm of security by obscurity, i.e., restricting access to information as much as possible. These days, this is often demonstrated when we see the conversation flooded with technical jargon, or when gaps in understanding are filled in with clichéd sayings like “cybersecurity is an investment, not an expense”, and many others with a shelf life that expired long ago. The second type of effort would have to be focused on bringing cybersecurity concepts with high levels of technical intensity down to earth, where they can be understood by the average person. In this case, understanding the profile of the target audience is critical. If this profile is not in sync with the technical level of the message being conveyed, the person trying to transmit knowledge could end up feeling like it’s a waste of time, while at the same time, the potential listeners are losing interest, or may even feel like their intelligence is being insulted.

In general, the public’s interest in understanding cybersecurity may come and go, and it also depends on the specific group being addressed. Sometimes I’m certain that this interest exists, but at other times I’m not so sure. On one side of the scale, we have the need to understand that cybercrime is something that can affect all of us, in many ways, and in some areas that can really hit us hard (money, reputation, pride, etc.). On the other side, we need to be aware of the fear and even apathy that this subject can provoke. In the end, I’m convinced that we can strike an appropriate balance between these two sides.

To me, understanding cybersecurity is something I see as both useful and practical. I initially found the subject intriguing (a world of spies and hackers, cracking encryption codes, etc.), and this motivated me to learn more. However, for most people the situation is very different: first they are hit with a cyberattack, and this “motivates” them to learn just enough to prevent it from happening again (i.e., they learn the hard way). But if we really think about it, we might realize that all of us have quite a lot of security knowledge already, which we’ve acquired in our non‑digital life. In general, we’ve internalized an attitude of prevention, by distrusting anything that seems “too good to be true”, and we know that we have to remain on guard against certain kinds of threats. We just need to understand that it’s not so hard to transfer this knowledge we already have into the digital world.

And we should not feel so intimidated by technical jargon and acronyms. For example, almost all successful ransomware attacks (such as the Ryuk ransomware that did so much damage to the Spanish government’s public employment service (SEPE) in 2021) are able to succeed because somebody received a malicious email, then fell into the digital trap of clicking on the link it contained, or they opened an attachment with an unpleasant surprise inside. And once malware has been released, it can spread to other machines very easily. Those “somebodies” are people like you and me, or perhaps your boss or my brother-in-law, or it could even be Elon Musk, or Cristiano Ronaldo. In the end, we are all human, with our own strengths and weaknesses, and we can all have a bad moment and make a careless mistake. So don’t be too hard on yourself if cybercrime happens to you one day, and you suddenly learn a bit more about the cyberworld around you.

Author: Javier Zubieta