Security Analogies

What's An Analogy? 

An analogy is a non-literal comparison between two things. Security analogies use the learner's experience base to build relationships between known, familiar concepts and unknown, complex concepts. This comparison helps learners comprehend, visualize, and remember new concepts. Analogies are like a bridge that you can cross from a familiar to an unfamiliar concept. Educator David Jonassen says, "Analogies are the single most powerful instructional strategy one can use."

Analogies, metaphors, and similes help learners to associate new concepts with their previous knowledge or experience. These figures of speech create pictures that connect the teacher and learner to the same idea.  Gerry Spence, in How To Argue and Win Every Time, wrote, "Words that do not create images should be discarded."  And he follows his advice. For example, Spence writes, "To get a prejudiced judge off a case is like prying a tooth out of a rabid gorilla." This allows his readers to visualize the concept. Can't you see the gorilla frothing?

Analogies can be used to make complex topics simpler to understand. Susan Boyd, author of Accelerate Computer Learning With Analogies, explains that "turning off the computer in the middle of an application is like kicking the ladder away while the painter is on the third floor."  She uses analogies to get her audience's attention and to make seemingly dry or dull subjects more interesting.

In Alan Cooper's The Inmates Are Running the Asylum - the author compares programming before the design work is completed to a parachute maker telling the jumper, "By the time you are ready to hit the ground, I’ll have stitched together a parachute." He continues, explaining that there is "abundant waste with this method - like a carpenter cutting boards by eye until he gets one that fills the gap in the wall."

Here's another from Alan Cooper - "It’s a common mistake to copy the trappings of success, rather than the root cause of it. It’s like seeing General George Patton’s pearl-handled revolvers, and drawing the erroneous conclusion that to be a good strategist one must wear ornate side arms."

An analogy is used in Harper Lee's "To Kill a Mockingbird" when Scout explains to her father why he shouldn't report Boo Radley — "It's like killing a mockingbird, isn't it?"

Socrates said that learning is like giving birth, and teaching is like being a midwife.

Ralph Waldo Emerson believed that "science is nothing but the finding of an analogy."

If you wanted to explain how a small decision can have far-reaching consequence, you could suggest picturing a large and heavy gate - it moves very little at the hinges but a long way out at the circumference. A very small movement at the hinge brings a long movement at the end of the gate.

Security Analogies

  • Backups are like flossing — everyone knows it’s important, but few devote enough thought or energy to it.
  • Passwords are like bubblegum. They should be used by an individual and not a group — and if you leave them laying around, you'll end up with a sticky mess.  — K Rudolph  

    (Note: we used to also say that passwords are best when fresh, but current password advice is not to change passwords often. On June 20, 2018, Israel’s new cyber chief, Yigal Unna, drew criticism by offering questionable password advice during a high-profile presentation. Mr. Unna delivered a keynote presentation with a slide noting that passwords should be treated like underpants: changed often and never shared. Current security wisdom advises using a password manager with complex, unique passwords. When people are told to change their passwords often, they are likely to use variants or something with the same root – making their passwords more easily crackable. Per Thorsheim, of the PasswordsCon conference, tweeted: “Research has shown that forced and regular change decreases security.")
  • A password is like the lock on your front door. There are all kinds of locks—there's the cheap ones on bedroom doors that you can open with a small screwdriver; on the other end of the spectrum, there are bank vault locks that only open at a certain time with a 10-digit combination and a fingerprint scan. Passwords are much the same; they can be simple (like a 4-digit PIN on an ATM card) or complex (a 17 letter pass phrase with punctuation and special characters.) The difference between both the easy and complicated locks and passwords is that the more complex it is, the longer it will take an intruder to bypass it. The main plus to the passwords is that, unlike locks, getting a bigger, stronger, better one is free. — Scott Granneman

 

Image of people crossing a bridge made of ideas to show how security analogies connect concepts.

 

  • Data back-up is like the shovel and bag of grit my dad used to keep in the back of his car for those snowy Peak District winters: invisible most of the time but a life-saver when you're in trouble. To neglect it is to risk your company's livelihood and leave a glaring hole in your security plans. — Iain Thomson, Security Newsletter - Life, death and data back-up (Vnunet 2.24.03)
  • Suggesting that IT security issues can be dealt with simply by drafting and implementing a security policy is like saying that speeding drivers won’t be a problem if we introduce speed limits - Reflex Magnetics
     
  • Networks are like candy bars: Hard and crunchy on the outside, but soft and gooey on the inside.
  • Your computer is just an extension on your house. The average home owner does not leave his house door unlocked, does not allow any travelling salesperson to walk in and install their cameras for theri marketing demo, and does not allow anyone to just crash at their house in their kids room. If computers visually used this metaphor throughout the users experience it might help. Their login would be a doorway into the house, virtual desktops would be rooms in a house, and email sales, port scans and such would be people visiting your house.
  • Anyone who has ever worked as a sysadmin knows that the users are often the biggest security risk. User behavior is a lot like how water runs down a hill. The water will follow the path of least resistance.
  • dynamic IP address is like moving your house several times a day so that burglars can’t find it. 
  • Privacy Act Data is a lot like medicine - when used correctly it's beneficial and can be used to improve the health of individuals and organizations. When used incorrectly it can cause harm.  Prescriptions are intended to be used by people with a specific need (need to know) as is data.  It's risky to take medicines that are not prescribed for you (and illegal). The same applies to data. Medicines expire and data can become out-of-date.
  • Computer security is like a chess game, and all these people that say breaking into my computer systems is like breaking into my house: bull-s*** because securing your house is a very simple thing, you just put locks on the doors and bars on the windows and then only brute force can get into your house, like smashing a window. But a computer has a hundred thousand intricate ways to get in, and it's a chess game with the people that secure a computer — Gongrijp, Dutch hacker, interview
  • "Secure web servers [cryptographically enabled web servers] are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police." – In "Web Security and E-Commerce," anonymous contribution
  • "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." — Gene Spaford, in email to organizers of a workshop on insider misuse
  • "Most organizations are like Ukranian dolls - each inside has another inside." — Gene Spafford, in email to organizers of a workshop on insider misuse
  • "Perimeters that allow arbitrary content, VPNs and SSL connections, et al. aren't really perimeters any more than a state line through a cornfield is an obvious border." — Gene Spafford
  • Documentation is the castor oil of programming. The managers know it must be good, because programmers hate it so much. — Gerald M. Weinberg
     
  •  Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. — Ronald Wilson Reagan

What Are Your Favorite Security Analogies?

 Please let us know so we can add to the list.

 

Looking for more?  We have a great page full of security slogans like this one:  "Phishing: If you suspect deceit, hit delete!"

We also have a security quotes page. "Security is always excessive until it's not enough." — Robbie Sinclair, Head of Security, Country Energy, NSW Australia

 

Are you in charge of your organization's security training? 

We have several great online courses!  Topics range from general Information Security Awareness, to IT-professional specific, to GDPR for United States employees