Communication Breakdown: Security's Language Problem

Information security pros are picky about the words they use. CSO's Bill Brenner says the annoying terms aren't going away without some creativity.

It's an old problem in the security industry -- vendors, public-relations firms and the media coin all these catch phrases and buzz words to describe the latest threat or technological solution. Then the smarter industry voices get all uptight about it.

Does anyone remember the individual who coined the word "phishing" to describe one of the oldest social engineering tricks in the book? Me neither. (Speaking of social engineering tricks, check out Joan Goodchild's latest article, DefCon contest to spotlight social engineering.)

I also don't remember who came up with all the "PH" words that followed, like pharming and phlooding. But I AM among those who learned to roll his eyes at every "PH" word other than phishing (because that was an original).

I remember the day in 2005 when a PR person called me about a "new" threat the vendor she represented was tracking. The vendor wanted the world to know about a new technique in which the bad guys could, from different locations, saturate wireless access points with log-in requests using multiple password combinations, clogging a company's central authentication server. The vendor described this as "phlooding." The PR rep described phlooding the way others might describe the collapse of the Internet. Since then, nobody I know of has claimed to have suffered a catastrophic case of phlooding. I wrote about the threat, but did so from the perspective of IT security pros who were getting annoyed with all the "ph" words flying (phlying) their way.

If a "PH" word is based on a variation of a phishing attack, that's one thing. But five years later, I'm still trying to figure out just what the heck phlooding has to do with phishing.

A good friend of mine, James Arlen, has a word to describe the stupid things people do online to put themselves and everyone else in peril. I can't print the entire word because this is a G-rated publication. But I can tell you it starts with "cyber." He has a t-shirt with the word on it.

James sometimes takes issue with some of the words we in the media like to use. One word is "cybersecurity." He loathes the word. And he's not alone. I know many an IT security practitioner who will try to use any word but that one to describe the art of protecting the Internets. Sorry. I meant InterNET.

I'm still trying to figure out what the big deal is. Sure, the word cyber has been slathered across the English language a bit too liberally. If you punch in the word on Wikipedia, you'll see everything from "a range of mainframe computers" to "a brand of computer hardware." Cyber is also a supervillain in both the Marvel and DC comics universe, though in the DC world it's "Doctor Cyber."

Until someone comes up with something better -- and until the current crop of alternative words starts ranking higher on Google (which tells you that the usage is quite common), I'll continue to put "cybersecurity" in headlines and articles.

More recently, there's been debate over just what terms like data loss prevention (DLP) and cloud computing are all about.

My initial thinking was that DLP was ANYTHING -- technologically and culturally -- that prevented sensitive data from getting stolen or lost. Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, saw me put it that way in an article and begged to differ.

One point he made was that DLP is not a product, as many vendors would have you believe. Rather, it's a mix of technology and policies. I agree with that.

The latest buzzword to go through the language meat grinder is the "cloud." Most of the security experts I talk to agree that the biggest problem with cloud computing and cloud security in particular is that most people don't really understand what the cloud is. Chris Hoff, director of cloud and virtualization solutions at Cisco Systems, has made this point to me more than once.

Sometimes I think people split hairs too much when it comes to the language of security. But in the bigger picture, words are important. We need buzz words to get the attention of those who are less savvy online than we are. Buzz words help raise awareness, even when some of those buzz words sound stupid or don't fit perfectly based on what the dictionary says.

To that end, I'm interested in your thoughts on this.

What do you think are among the most overused and/or misused words in the security world?

What are some good words that don't get enough attention?

Just what is cloud computing anyway?

Don't be shy. Discuss.

Read more about application security in CSOonline's Application Security section.

This story, "Communication Breakdown: Security's Language Problem" was originally published by CSO .

Join the discussion
Be the first to comment on this article. Our Commenting Policies