Imagine you’re going about your day when a friend or co-worker with limited experience with cybersecurity asks you about what you do or what you think of the latest security technology. How can you engage with an answer that isn’t terse, overly technical or judgmental? How can we translate cybersecurity issues and provide value for those asking about them?
To that end, here is some advice on how to explain cybersecurity topics to your colleagues in terms they will understand.
Keep Your Reactions in Check
Unless you work in a highly visible environment, people may not go out of their way to ask you questions, so when they do, realize that it’s a prime opportunity not to only provide answers but to engage them in the long term as well. With that said, even the best of us might have an off day and react unfavorably to a question being asked. However, it’s worth remembering that responding to an inquiry with visible shock or displeasure could trigger further difficulties.
If you’re not feeling particularly outgoing or conversational on a given day, consider taking a moment to appreciate that someone is asking for your opinion or advice on a cybersecurity issue. Simply thanking them for their question or replying, “That’s a good question,” can grant you time to collect your thoughts on the matter at hand and respond with confidence and authority.
Clarify the Question and Its Context
We have all been in situations where we start responding to a question and realize after several minutes that we were answering the wrong question or simply didn’t have enough information about the context in which the question was being framed. If the particulars of a colleague’s question are unclear, ask a clarifying question that reuses many of the words from the initial question.
For example, if Bob asks, “Should I be worried about the new two-step login for my bank account?”, the real heart of the issue might be the standard username-and-password approach and its weaknesses, a recent change in the user interface for a login page, or two-factor authentication (2FA) and some of the concerns around SMS-based tokens in the news lately. A quick way to find out would be to reply with something like, “By two-step login, do you mean username and password or a two-factor authentication code sent by your bank?” If Bob answers that it’s about 2FA, you could follow up with another clarifying question about whether the token is sent via SMS, a bank app on his phone or a hardware token.
Understanding the context of questions is also key to ensuring that your answer is useful and appropriate. In the example above, Bob asked a question about the authentication process, but do we have enough context? Sample questions to elicit additional context might include, “when did this happen?” or “why do you ask?” Given these questions, Bob might share that he recently experienced difficulties with logging into his bank account while he was overseas on business. We might also learn that the SMS tokens took several minutes to reach his cell phone, and by that time the bank no longer accepted them as valid.
Explain Cybersecurity With Helpful Metaphors
Providing a valuable answer to a cybersecurity question can be tricky. As security professionals, we might be tempted to peel back the curtain and shed light on what’s happening behind the scenes with a bunch of technical cybersecurity terms. For instance, in response to Bob’s question about SMS-based 2FA, we could launch into the detailed description of steps required for a successful authentication session and the many weak points where response messages could be stopped.
However inclined we may be to answer a question with a complex, technical answer, it’s best to keep in mind some of the more effective ways humans have shared information for centuries. For instance, it may be helpful to explain the issue at hand with a metaphor that offers a path to a solution that the listener can follow. Determining how to explain cybersecurity issues involves focusing on what the asker already knows and their frame of reference and then adapting our explanations to fit that knowledge.
How can we help Bob understand SMS 2FA and its weaknesses? Perhaps we can use the metaphor of a guard dog — even if someone has the key to your house, unless they have your face or your voice, they won’t be able to get in.
Think Influence, Not Judgement
Cybersecurity professionals have spent years, or even decades, honing their intuition and enhancing their knowledge base, which can enable rapid diagnosis of issues with quick answers. However, we must take care to ensure that our answers are presented constructively and not wrapped in an envelope of, “I can’t believe you would do that” or “smart people don’t do things this way.”
When someone asks a question, the last thing they want to hear is that they’re wrong or dumb for asking the question or for reacting unfavorably to their challenges. Resist the urge to judge their behavior or lack of information and instead look for ways to help them see the risks their actions pose and get them thinking about the privacy and security implications of those actions.
To that end, try to provide answers that influence their attitudes toward cybersecurity well after their interactions with you are over.
Leverage the Power of Questions
Instead of handing down a declarative denial in the form of, “you should never do that,” why not reply with a question of your own? Plant the seed of a persistent thought that will guide Bob for months after his question is answered. What should Bob ask himself in advance of his actions from here? Are there any procedural rules he should keep in mind moving forward? Make sure Bob knows to think before he clicks and inform him about where he can turn for the right answers.
To further develop your response to Bob, you might also explain the benefits that SMS-based 2FA can provide and finish with a list of questions for Bob to ask his bank or ponder on his own. The questions for his bank might relate to the timeout factor of the SMS token, whether there are any barriers that would prevent the SMS tokens from reaching his phone while he’s on business travel overseas and whether there is another way to do multi-factor authentication than through SMS. Questions for Bob to think about in the long term should include consideration for the larger concerns of privacy and security around the data and technology he brings with him when he travels.
While Bob may not be getting a quick and simple answer, let’s face it: There are few quick and simple answers left in cybersecurity. On the other hand, Bob now has a more accurate understanding of the tough issue of authentication, and he’ll likely be thinking about travel-related security and privacy for quite some time. Bob can walk away glad that he asked a question and wasn’t belittled for it, and he’ll probably come back to you with future questions.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato