A picture is worth a thousand words. So what do the images used for information security tell us? What are they trying to convey and are those messages consistent with how we would like to think about information security?
They say a picture is worth a thousand words. If that's true, what do the images used for information security tell us? What are they trying to convey and are those messages consistent with how we would like to think about information security?
There’s an easy way to find out how we commonly picture information security. Google 'information security' and then click on ‘images.' You will immediately see a near uniformity in the pictures used. A search for “cyber security” produces virtually the same images, and the same swathe of blue.
Almost all the images for “information security” share at least three characteristics:
• They are blue, with a bit of red and occasionally green;
• They show a lock, often superimposed on a graphic representing the flow of electronic data; and
• They rarely show people, other than the odd shadowy figure of the evil hacker or a headless male businessman operating the lock.
So what does this mean?
First, the colours. My detailed research, via a Google search again, came up with the following. ‘Blue … is often associated with depth and stability. It symbolizes trust, loyalty, wisdom, confidence, intelligence, faith, truth, and heaven. (It) … produces a calming effect.’ While ‘Red … is associated with energy, war, danger, strength, power, determination as well as passion, desire, and love.’ The use of blue to illustrate information security makes sense. Information security is based on building trust and instilling confidence. Stay calm and trust us! Similarly, the use of red is also understandable to indicate danger or war, the threat of the omnipresent attacker. When used to colour the ubiquitous lock, red probably symbolises strength and protection from harm.
The use of the lock as the overwhelming motif for information security is more problematic. The lock is a symbol of protection: it is a device used to prevent access to valuable assets. In the case of information security, those valuables are usually data, shown by the streams of electronic pulses that are secured by the lock. The use of the lock indicates an ability to control and to exclude access to data, to protect it from misuse.
But is that the image we want to use for information security? This traditional conceptualisation of information security as locking down assets and preventing their use takes an exclusionary, negative view of information security. It places information security practitioners in the role of police officers, ensuring the protection and safety of assets. It says little about the role of people or the importance of reputations, networks of trust, recovery or resilience or just making people feel safe. It is out of sync with most current business paradigms where organisational borders are open and shared, where agility and collaboration is paramount and where the lockable, controllable organisational perimeter is a distant memory.
And where are the people? People are largely irrelevant in information security imagery, other than as the source of attack or the owner or the technology solution. Reliance on the lock places information security practice squarely as a technical discipline: security is something that can be achieved by developing and applying technical fixes.
The importance and relevance of pictures, and the underlying narratives on which images and visualisations used in information security are based, is worth more thought. Dr Lizzie Coles-Kemp, Peter Hall and Claud Heath published a paper last year that did that.* They argue that the narratives on which cybersecurity visualizations are based ignore important aspects of cybersecurity: that these visualizations focus too narrowly on adversarial security issues, ignoring social and community-based security. They suggest that if information security was visually situated in a larger socio-historical context (perhaps including real people relying on each other and building networks of resilience), the limitations and implications of current ways of seeing risk and practising information security become more apparent.
So next time you read an information security article, whitepaper or report, think about the illustrations used and the messages they are sending about what information security means. Is it time for a change? If you're responsible for publishing a report, think about the images you're using and what they might say about what you think information security means.
* Peter Hall, Claude Heath, Lizzie Coles-Kemp ‘Critical visualization: a case for rethinking how we visualize risk and security’ J Cyber Security (2015) 1 (1): 93-108.
Dr Lizzie Coles-Kemp is speaking at the University of Queensland at 12pm Monday 3 April, 2017 on Bringing Shadow Information Protection Practices into the Light. All welcome.
Dr Siganto graduated as a lawyer from the University of Queensland and after 8 years in private practice became in-house counsel for Tandem Computers followed by roles with Unisys Asia and Dell based in Singapore. She returned to Australia in 2000, founding Bridge Point Communications (specialists in data networking and security) with two other colleagues. Since then, she has specialised in providing information security and privacy consulting and trainings. Dr Siganto completed her PhD on privacy and information security practice in 2014. She has been involved with a range of industry groups, including acting as the Chair of the AISA Policy Committee, and more recently the AISA Education Director. In addition to her other works, Dr Siganto pursues research projects into cyber security issues. She has participated in a study led by Royal Holloway, University of London, which mapped some of the unique traits of information security practitioners in Australia and led AISA’s research into the Australian Cyber Security Skills Shortage.