According to research by David Hauser, describing cancer as an enemy that needs to be fought reduces the extent to which people focus on preventive behaviors such as changing their diets. Hauser's work seems to indicate that describing cancer in terms of war and battle metaphors focused people on direct attack actions and made them overlook more passive approaches like prevention. The cancer research was interesting on its own, but it also made me think about computer security, another area where we often talk about being attacked. Do fighting-focused words keep people from taking simple steps to improve their computer security?
Unlike cancer there actually are people (commonly known as hackers) behind computer security breaches. Someone is attacking these systems. However, much like with cancer there are simple preventative measures that help to prevent the likelihood of many types of security breaches. Keeping software patched, using strong passwords, activating two-factor authentication when available, checking links before you click them, and turning off your computer when not in use are all things that will help improve your computer security, but these things may not seem dramatic enough to stand up to attacks! And threats! And system hijacking!
I've written before about my frustration with describing every security incident as "I was hacked." That phrase makes it sound like there is some bad person who directly targeted your Facebook or email account even in cases where the breach occurred because you shared your password on a fake version of site or you clicked on a link that downloaded malicious software onto your machine.
Yes, sometimes there are hackers actively attacking a specific system, but many computer security breaches occur (or at least begin) because of automatically run scripts, malicious software, and phishing emails that are deployed widely just waiting until they work somewhere.
If information security experts stopped using attack and fighting metaphors to talk about computer security risks would people be more likely to run their software updates and activate their firewalls?
Breach and incident are two terms that are used to describe computer security events, and neither evokes the same battling images as attack. Would sticking to those words help people realize that they don't always need an army to protect their digital data?
Perhaps there is a computer security version of David Hauser somewhere who will research the impact of attack metaphors on computer risk practices. In the meantime we should attack these violent metaphors when they invade our professional language and obliterate them from our lexicons! A war on attacks!
Okay, maybe I need some practice, but I'll try.
Now, don't even get me started on "cyber."
RELATED POST: Stop saying "I was hacked"
PREVIOUS POST: The mystery of the abandoned cupcakes
Get attacked by new posts via email! Type your email address in the box and click the "create subscription" button. My list is ad free, and you can opt out at any time.