This is an Accepted Manuscript of the article published by Taylor & Francis in EDPACS , Volume 57 Issue 6, available online: https://doi.org/10.1080/07366981.2018.1476312
Abstract
Metaphorizing is the principal means with which to conduct our thinking. We use metaphors to make meaning and sense about the world around us. We use them, furthermore, to form a view on the nature of the subject of the study. Thus, they play an important role in understanding a subject. Our point of view will determine what insights we will make and what inferences we draw. It is essential to understand the meaning of the metaphor and what mental pictures—including unintended ones—it conveys. Using an inappropriate mental picture can cause serious misconceptions. The focal point of this article is metaphors used to describe information security. The first one is a commonly used metaphor in the information security industry—the link metaphor. The meaning and the problems evident with using this metaphor are discussed first. An alternative is then provided—the Formula 1 (F1) car metaphor. A detailed rationale for using this metaphor instead of the first one completes the article.
Preamble
Information security is a mindset, first and foremost. Technology is only a welcomed extension to this mindset. The exact technology to be used is determined by the mental picture one carries in the mind about information security. This mental picture is based on, and influenced by, metaphors we adopt to describe our mindset.
This article reviews a popular metaphor for information security and the underlying meanings it carries. My aim is critiquing the use of the metaphor, not criticising those who use it. It would be remiss of me not to warn here against reading this article in the mistaken notion that it represents irrefutable wisdom. I offer an alternative view, and I offer it as one way to improve our thinking and consequently our efforts to improve information security.
The traditional metaphor
“Information Security is only as strong as the weakest link in the chain.”
This statement seems to be ubiquitous. It appears from time to time in blogs, on company websites, in research, in white papers, in conference proceedings, in conversations alike. It is a categorical statement. It is also an absolute statement. The illogical nature of thinking in absolute terms is well known, I don’t need to discuss it here. Neither do I question the validity of the metaphor itself. What I question is its usefulness, validity and applicability, therefore its authoritativeness to information security. I also question the thinking and the concept behind it.
This “weakest link” metaphor in information security dates back to the rise of perimeter defense. I try not to be pedantic here and am happy to concede that it might even pre-date it. I am – to reiterate – not speaking against the validity of the principle of “a chain is as strong as its weakest link”. The point I am anxious to make is that it is not a well-fitting metaphor for information security, even if it is widely used.
The “link” concept
When one follows through this metaphor to its logical conclusion, it is obvious that once the weakest link is broken, it is not a link anymore. It is waste material. Even further, it indicates that the whole chain is broken and is not adequate to meet its original requirements. Along the same line, if information security is a chain and it is broken, the whole of information security is broken. I do not wish to say categorically that it is not or cannot be the case. However, I believe there are a few logical errors in this conceptual picture.
First of all, it would not be an exaggeration to say that equating “weakest” to “most vulnerable” or even “most exposed” is not necessarily correct in today’s information security environment. The “weakest link” might be at a place where the probability of exploiting such a “link” would not represent risk proportional to the weakness. Perhaps mitigating the “weakest link” poses a higher cost than the exploitation would, and therefore this weakness or vulnerability can be accepted.
Another idea it conveys is that only the weakest link can and will be broken or bypassed. The underlying mental picture here is that the heaviness and the sturdiness of the chain is its main usefulness. In other words, its strength is what matters. Conversely, had the strength of the chain been depleted, its usefulness has been depleted, too. It is worth noting here, as well, that the length and tautness are contributing attributes to the strength and therefore to the practical usefulness of the chain.
But if one probes deeper, something else emerges. False assurance can be created with the chain metaphor. As long as the weakest link is not broken, “we are fine”. This is not necessarily the case even when the information security “chain” is intact. The chain doesn’t need to be broken to go behind or above it. The chain links themselves have holes. The underlying assumption here is that those holes are irrelevant for the strength and to the protection the chain provides. But, what if the size of the hole can be exploited? What if the size of the exploiter renders the hole to be an access point to what the chain protects, and thus becoming a way to bypass the chain? A strong chain is useful for many things, but is rather useless against white ants that can climb through the holes. The one size doesn’t fit all idea comes into mind…
May I also add here that the relevance of the chain itself can be questioned. Putting a chain around an oil painting might provide protection against theft. Does it protect against damage or dissolution by throwing acid at the painting? Being, or not being, fit for purpose is almost too obvious to mention.
The statement implies still another idea. It describes individual components put together but working autonomously, instead of a coherent, cohesive system. While this signifies the strength of individual components, it lacks the view of the whole being stronger than individual parts. It actually promotes the opposite. This view can be expressed in the way that “no security solution is ultimately stronger than its weakest element”, and this is a very arguable statement. So is the notion that the weakest link has the least contribution to the overall effectiveness of the solution. The weakest component can stay the weakest without rendering the whole protection weak. Layered defense; trust zone architecture and other measures can compensate for a given weakness and can significantly improve the overall strength of information security. These measures complement each other; they strengthen and enhance one another.
Following from the last statement, the opposite can be envisaged as well. Putting more links together indiscriminately can actually weaken the effectiveness of the chain. Before proceeding, however, I must stress the point that the focus is on the word “indiscriminately”. Consider, for example having a firewall, a proxy and an intrusion prevention system all built into one box. It might be a good idea, but what about creating a single point of failure? Once the underlying hardware fails, all three layers of the protection are gone.
There may, for example, be instances that can be used in favour of the weakest link metaphor, which I have overlooked and to which, in the end, I might assent to. Before proceeding, thus, I must make it clear that I raise no objection against the rational use of the chain metaphor in certain cases. What I wish to emphasise is that information security might not be such a case.
The alternative
I propose an equally plausible metaphor that I believe serves better than the “weakest link” metaphor. That is, information security as a high performing, complex machine, such as a Formula 1 car. I wish to emphasise here that I do not equate “complex” with “complicated”. I use the word “complex” to describe sophistication and the idea of having many parts that are intricately interconnected.
A Formula 1 car has many parts. It has big and strong parts, and yes, it has small and weak parts, too. Yes, any part of such a machine can be broken. Yet, the car doesn’t just fall apart or dissipate if the weakest part is broken. The remaining components of the car keep functioning despite one breaking. Furthermore, having such broken part doesn’t necessarily mean that the car becomes useless or worthless. Of course, performance degradation might occur, but this can be corrected. Engineers, I am told, can even fine tune the engine remotely during the race. For other problems the car might need to go back to the pit stop for a repair.
Even in the case of an extreme situation, such as when the engine blows up – and thus the core of the machinery becomes ineffective – the car still is a car and can be pushed through the finish line. In other words, it still can reach its target and fulfill its purpose. It might not win the race, but it can still compete and finish the race. When a small – or even a big – part gets broken, it doesn’t mean that the car becomes a “non-car”.
Along the same line, a component of information security might get broken. This might reduce the effectiveness or the quality of information security, but it doesn’t make it disappear. It doesn’t necessarily mean that there is no protection at all, either. Those broken parts need to be fixed of course, and need to be fixed fast. If it is not “fixable”, compensating controls should be put in place.
It may be of some interest to note, in this connection, that the purpose of an F1 car is not winning a race. The purpose is to run many races and to run them competitively. A case in point is Emerson Fittipaldi, who won only three races in 1974, yet still became world champion, also giving McLaren the constructors’ title. All of this was done with a car—the McLaren M23—that was knowledgeably not the most technically advanced. But it was certainly competitive!
Information security in the same way is a long-term competition, not a single race. Winning every single time is not the goal. Being competitive is. What I mean by competitive is exactly what the etymology of the word reveals. The Latin word “competit” means “aiming at, earnestly seeking for—in other words striving for—something together.” The earnestness, the striving, and doing it together are all inherent in the word. Practitioners of information security have to have a strong desire to succeed in every situation. The question is not about winning or losing, but to give tough times to the adversaries.
Thinking about information security as a high-performance machinery allows one to think about the whole, not just about individual components. The mental picture applied here – and I must point it out again, even at the risk of repetition – is a complex system with moving parts. Each part contributing to a common goal. If the part doesn’t contribute, it needs to be critically looked at, whether it is needed at all.
Instead of removing parts, the opposite is also quite possible. New components can be added and integrated to improve or enhance performance. Considering such possibilities reduces the chance of having a tick box mentality, and that alleviates binary thinking. One manifestation of binary thinking is dualistic thinking. Among many other aspects, it stimulates the “us-versus-them” syndrome. I am only referring to this syndrome here without detailed discussion, to provide a hurried glimpse into what is an already outdated mode of thinking in information security in my view.
The case for the replacement
I started the article stating that information security is a mindset. This mindset is largely determined by the mental picture we hold in our head about it. The mental picture in turn is shaped by the metaphors we employ to make sense of a subject. Metaphors play a crucial role in our cognitive processes, as they help us form insights into the subject of study. It is essential to understand the meaning of the metaphor and what mental pictures – including unintended ones – a metaphor conveys.
Using an inappropriate mental picture can cause serious misconceptions. This is not surprising, because every metaphor has a knowledge bias embedded in it. Having such knowledge bias will control where and how we look for solutions. This limits our choices, and consequently the quality of our solutions. It is therefore safe to conclude here that the relevance of a metaphor reaches beyond being an element of thinking.
By describing two such metaphors I demonstrated how the meanings and concepts they convey lead not only to different thinking about information security, but also to different actions and results. What then needs to be noticed in this connection to the chain picture is that binary thinking is implicit in and contingent upon it. This kind of thinking is apt to consign us to a more dogmatic view we would like to hold, whether we admit it or not. It encourages thinking spasmodically, leading to point solutions. Furthermore, it is an absolute statement. It is an oversimplification. Neither of these two are necessarily bad on their own. It would be shallow to deny that each have their use. In the context of forming a mental picture about information security, however, the chain metaphor seems to be not as useful as some proponents might want to warrant it.
Thinking about information security as a high performing, vibrant machinery instead of a static chain – I submit – would lead to better achieved results. It encourages thinking – in general – in terms of complex, inter-related components rather than individual parts.
The crucial idea I want to bring the reader’s attention to is that there are variables that can be prepared for. It is not an either-or-not situation, but having multiple, complementary solutions. When an unexpected event occurs, quick response is possible and resolution can be reached faster, using alternatives or variables. Responsiveness to unexpected events however is reduced by thinking in absolutes. Instead of succumbing to the dangers of such thinking one can apply directional thinking about exposures, probabilities, impacts, response and so on. In short, about risks in the given environment.
This provides a better perspective on managing uncertainties. Architects, designers, engineers and managers can move freely from point solutions – a sign of spasmodic thinking – to create sophisticated, integrated information security solutions. Auditors can view information security holistically. This goes a long way beyond providing assurance that everything is “there” and is working. Auditors can thus become value adding contributors in the quest to keep an organisation safe and secure.
This is why I believe the machine metaphor is superior to the chain metaphor. Obviously, a multidimensional metaphor has significant advantages over a one-dimensional metaphor. It encourages, for example, one to consider what problems need to be solved. It encourages one to think whether a problem really needs to be solved, or can be left as it is. It encourages one to consider foreseeable consequences: “What new problems might be created because we have solved this problem”? “What happens, if we do not solve this problem”? More granular, more effective solutions can be created in this way. Identified weaknesses can be addressed in a timely fashion, and cost effectively.
Parting thoughts
“So what?” – you might ask. – “Does it really matter what mental picture is used as long as it works?” – The question itself strikes me as an absurdity, since I do not see how it is possible for a subject to be understood in the absence of any insights into the metaphors on which it is constructed.
I believe having a well-understood mental picture does matter. We do well to remember that metaphors – as stated earlier – control how we think, which influences what we see, which in turn influences what we say, and lastly, what we do. Indeed, I may go this far: well-communicated ideas with their well-understood meaning will lead to well-implemented action.
And that is the point I have been trying to make.
Why not?