The Slippery Slope of Cybersecurity Analogies

Note: Presentation times are in Pacific Standard Time (PST).

Thursday, January 26, 2023 - 3:00 pm3:30 pm

Josiah Dykstra


Cybersecurity is rich with analogies, from keys and locks to Trojan horses. We look for the “needle in the haystack” and “evict malware resident on our systems.” We debate “baked-in” versus “bolted-on” security. We do not mean all these things literally, of course. The language and analogies we use in this field are borrowed from many different domains. Analogies can help explain basic cybersecurity concepts, but too often they omit or overgeneralize important details. They can mislead, sometimes deliberately, because the experience they purport to connect might be out of proportion. Despite their shortcoming and imprecision, using an analogy or an abstraction might be helpful in appropriate situations. Using analogies, abstractions, and metaphors shapes technology’s development, practice, and policies. The analogies are more than simple figures of speech. They have a normative dimension; sometimes, they can be used to help the imaginary shape reality. This talk explores the use and misuse of analogies and metaphors across cybersecurity. We consider analogies from the physical world, medicine and biology, war and military, and law before discussing tips for avoiding pitfalls in using analogies and metaphors.

Josiah Dykstra, Independent Security Researcher

Josiah Dykstra is a cybersecurity practitioner, researcher, author, and speaker. He is a Technical Fellow in the Cybersecurity Collaboration Center at the National Security Agency (NSA) and the owner of Designer Security, LLC. He holds a Ph.D. in computer science and previously served as a cyber operator. Josiah is interested in cybersecurity science, especially where humans intersect with technology. He has studied stress in hacking, action bias in incident response, and the economics of knowing when sharing threat intelligence is more work than it is worth. Dr. Dykstra is a frequent speaker, including Black Hat and RSA Conference. He received the CyberCorps® Scholarship for Service (SFS) fellowship and is one of six in the SFS Hall of Fame. In 2017, he received the Presidential Early Career Award for Scientists and Engineers (PECASE) from former President Barack Obama. Dr. Dykstra is a Fellow of the American Academy of Forensic Sciences and a Distinguished Member of the Association for Computing Machinery (ACM). He is the author of numerous research papers and the books Essential Cybersecurity Science (O’Reilly Media, 2016) and Cybersecurity Myths and Misconceptions (Pearson, forthcoming).
@conference {285649,
author = {Josiah Dykstra},
title = {The Slippery Slope of Cybersecurity Analogies},
year = {2023},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jan,