Cybersecurity is rich with analogies, from keys and locks to Trojan horses. We look for the "needle in the haystack" and "evict malware resident on our systems." We debate "baked-in" versus "bolted-on" security. We do not mean all these things literally, of course. The language and analogies we use in this field are borrowed from many different domains. Analogies can help explain basic cybersecurity concepts, but too often they omit or overgeneralize important details. They can mislead, sometimes deliberately, because the experience they purport to connect might be out of proportion. Despite their shortcoming and imprecision, using an analogy or an abstraction might be helpful in appropriate situations. Using analogies, abstractions, and metaphors shapes technology's development, practice, and policies. The analogies are more than simple figures of speech. They have a normative dimension; sometimes, they can be used to help the imaginary shape reality. 

This talk explores the use and misuse of analogies and metaphors across cybersecurity. We consider analogies from the physical world, medicine and biology, war and military, and law before discussing tips for avoiding pitfalls in using analogies and metaphors.  This talk is adapted from material in the forthcoming book Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls That Derail Us by Drs. Spafford, Metcalf, and Dykstra. The book presents 175+ common myths and misconceptions held by users, leaders, and cybersecurity professionals, along with tips for how to avoid them.

Josiah Dykstra is a Technical Fellow in the Cybersecurity Collaboration Center at the National Security Agency (NSA) and the owner of Designer Security, LLC. In 2013, he earned his PhD in computer science from UMBC studying cloud forensics with Dr. Sherman. He is interested in cybersecurity science, especially where humans intersect with technology. He has studied stress in hacking, action bias in incident response, and economics of cyber threat intelligence. Dr. Dykstra is a frequent author and speaker, including at the Black Hat and RSA Conference. He received the CyberCorps Scholarship for Service (SFS) fellowship and is one of seven people in the SFS Hall of Fame. In 2017, he received the Presidential Early Career Award for Scientists and Engineers (PECASE) from then President Barack Obama.  Dr. Dykstra is a Fellow of the American Academy of Forensic Sciences and a Distinguished Member of the Association for Computing Machinery (ACM). He is the author of numerous research papers and two books.