It’s been a bad month for marketing claims. Red Bull have agreed to pay $13 million to settle a lawsuit and “avoid the cost and distraction of litigation”. Apparently, while drinking Red Bull might make you feel like you’re flying it doesn’t actually give you wings. Privacy provider Whisper advertised itself as “a safe place for our users to anonymously share their innermost thoughts, secrets, and feelings”. Despite claiming that it doesn’t track IP addresses or geolocation data, it’s alleged that Whisper actually tracks both…and…wait for it…shares it with the US Department of Defence. So your ‘innermost thoughts’ shared with your date from the Russian consulate are sure to be private. As long as you re-define the word private to include half a million contractors across five countries. Much of the controversy isn’t over the fact that internet communications will always be to attributable to some extent, it’s that Whisper claimed otherwise and in doing so appears to have misrepresented their product. Just like the Snowden revelations, we’re again squabbling over the meaning of words like identity, content and metadata. The result is a reminder that overselling your product or service can get you into trouble. Whisper now faces unprecedented scrutiny and accusations of snake oil from people who know what they’re talking about.
Growing up, my mother’s favourite word was ‘filthy’. She didn’t actually mean that something was vile or dripping with excretement, she just meant anything less than surgically clean – like most of everyday life. It didn’t matter that she used the word to mean something else than its ‘true’ meaning because we all understood what she meant. By being used in different ways, the meaning of words changes over time. Awful used to mean something positive as in a sight that inspired awe. There are ways however in which the creative use of language can be a linguistic perversion. Using words to deliberately misrepresent a product or service is unethical.
The security profession is guilty of overselling. This isn’t about any particular product or service that we offer, but the language we use. ‘Ensure’ is one of our favourite words that we seem to put into every sentence every chance we get. It’s a traditional security word, as traditional as long hair at Black Hat and auditors with tick boxes. Strictly speaking, ensure means to guarantee or make certain of an outcome. However, when using the word ensure in an information security context we normally mean the implementation of a control or the allocation of a responsibility. As in, administrative control X will ensure that only approved accounts are enabled. There’s not actually an expectation that the outcome is in any way certain.
I recently reviewed the objectives summary for someone’s security awareness training which included the word ensure for each outcome. An example was ‘Ensure employees understand the need for backing up their mobile devices and actively do so on a regular basis’. If you swap the word ensure for guarantee in the sentence it becomes clear that this is probably not what the author meant. There’s no such thing as certainty when it comes to behavioural compliance and to suggest otherwise is to mislead your audience or stakeholders as to the capabilities of security awareness. The idea that awareness could make certain of an outcome is what critics of security awareness seize on as evidence of failure when there’s less than 100% success rates.
Besides the issue that the word ‘ensure’ is often used to denote a level of certainty which is undeserved, it can also introduce liability in a way that was unintended. ‘Ensure’ in the UK assigns liability when used as part of a contract or the advertising of a service. Beware the security professional who states that their training will ‘Ensure employees do not jailbreak any of their mobile devices.’ Under UK law they could be assuming a liability for damages for employees that do. The logic is that if you’re offering to make certain of an outcome then you’re accepting liability for when that outcome is not achieved. It may not be what you mean when you use the word ensure but that’s how the word is interpreted in some parts of the world.
If the next generation of security awareness wants to move on and focus on behavioral outcomes and the science of influence then the word ‘ensure’ has no place. As my mother used to say…say what you mean and mean what you say – now go clean your room, it’s filthy.