3

Proper terminology is important for anyone who wants to learn something. The best way to develop professionalism is to rely on a set of well defined technical terms. So it should be in any professionals interest to avoid vague terms which tend to produce misleading associations. The two most common you will probably encounter are cyber and hacking. I still struggle to see any correlation with information security and would like to know how these terms even became that prevalent.

  • Cyber refers to cybernetics, which - surprisingly - has nothing to do with information security at all. The term itself stems from kubernetes which means steersman in Greek. Even the computer science related associations of this term rather refer to the control of devices and the analysis of information like cellular automaton, decision support system, design patterns, robotics or simulation. There has been a new definition which is almost as vague, namely "something that has to do with the Internet". Apart from computer crime not necessarily having something to do with the Internet, this definition applies to almost anything nowadays! So I don't see any reason to use terms like cyber security, cyber warfare or cyber attacks.

  • Hacking is another overused buzzword. Problem here is the very vague definition which most of you know. As far as I know the term has - at least in the US - a much stronger connection to programming than to information security. In Europe, the term is mostly negatively associated with computer criminals. Among the IT affine people it is also mostly connected to the maker culture. In any case the loose distinction makes hacking an inadequate term to refer to information security and pentesting in particular.

This may be just my view on the things so I'd like to know why and when these terms showed up and why they are still used.

AdHominem
  • 3,006
  • 1
  • 16
  • 26
  • 5
    I dislike these words too, and try to not use them, ever. I suspect the answer to both questions is 'The Media'. –  Aug 02 '16 at 09:52
  • They're both useful words and the meaning is clear. Sure we could say "warfare by attacking computers" but "cyber warfare" is punchier. Wiktionary includes the [new meaning](https://en.wiktionary.org/wiki/cyber) for cyber. – paj28 Aug 02 '16 at 09:56
  • «how these terms even became that prevalent» I guess it has to do with the fact that a lot of people who buy infosec products/services are kind of clueless about the inner workings. If you want to sell something, you need to make it "appealing" and "cool". – Andrea Lazzarotto Aug 02 '16 at 10:03
  • @paj28 Even the new definition is vague as "something having to do with the Internet". That could be possibly anything. Also computer crime is not Internet only. – AdHominem Aug 02 '16 at 10:13
  • @Ian - What words do you use instead? I guess Cyber can be easily avoided. But what if you're explaining to someone that they need to fix this SQL injection to avoid hacking? – paj28 Aug 02 '16 at 12:03
  • @paj28 SQL injection is itself a technical term so I would expect my counterpart to be aware of the implications. To anyone not familiar with the term I would say that the input forms used by his software allow an attacker unauthorized access to the database. This is also more descriptive than stating that some unspecified hacking will be possible. – AdHominem Aug 02 '16 at 12:18
  • @paj28 'cyber' I use 'computer security' and if I'm asked what I do - 'I'm paid try and break into computer systems'. 'Hacking' seems too much like aggrandisement. For discussing specifics (e.g. SQLi), that's usually in a professional env't, so something like, 'This vulnerability is critical and could expose company data; in order to mitigate this, be sure to use stored procedures and practice user input sanitisation' or some such. Have to be careful about using words like 'risk', as only the co. can only judge the risk of a vuln due to the factors that go into the consideration of risk. –  Aug 02 '16 at 12:24
  • What matters to humans is how the given word sounds. The original `cyber` was invented while people were thinking about ugly, human-like robots without compassion and sympathy, but also as something being extension of the human which is not part of human body. Therefore, the virtual reality, being similar in nature that it's extension of human mind and the second thing that hacking is also sinister in this context, could be effectively described with similar sound `cyber`. – Aria Aug 02 '16 at 14:09
  • Regarding `hacking`, the original word in popular English describes harmful assault on the another human body. While people are thinking about intrusions to their e.g. office via computer networks, they perceive it similar way as physical intrusion onto their body. So the this was likely invented by most sensitive victims to computer breaches which penalizes preparators and gives negative connotations in form or retaliation and what it makes as result, that professionals are having stigma associated with it. However there are positives - it's the defense what matters not attacks for pros. – Aria Aug 02 '16 at 14:14
  • Finally, both words are still prevalent in the industry because `hacking` feeds the wanna-be pros which are higher in numbers than real security pros. Cyber prevails because it is the best sound to describe "unknown threats", as we are still in the stage of developing basic security on the internet (including proper surveillance). And finally finally, the progress is measured by invention and not focus on negatives, so therefore since there's no better sounding word then `cyber` and that `hacking` is relevant for victims and wannabes, they are still both there. – Aria Aug 02 '16 at 14:20

1 Answers1

3

Proper terminology is important for anyone who wants to learn something. The best way to develop professionalism is to rely on a set of well defined technical terms. So it should be in any professionals interest to avoid vague terms which tend to produce misleading associations.

The best way to market things is to use terms which people already know (so you don't have to define them) which have the right associations. Bluntly, nobody outside the profession wants to learn the details.

"Cyber", in this marketing context, means "things to do with computers when you're talking to someone who didn't grow up with them". "Hacking" covers any kind of offensive, intrusive, fraudulent or "dodgy" use of computers.

Bear in mind that even smart or senior people outside infosec know almost nothing about how it works. So you need accessible means of communicating with people, which necessarily involves using their existing misconceptions.

Apparently Ronald Reagan found the film War Games quite insightful on issues of nuclear infosec. That should be pause for thought.

pjc50
  • 2,986
  • 12
  • 17