Explaining Security to non-technical Audiences
A few days ago we had the opportunity to present a review of vulnerabilities in mobile phone networks and typical attack vectors to a non-technical audience (we announced the event in a previous blog posting, the event language was German). The background of the attendees was a spectrum of social sciences, political sciences, different technical science (but not information science), governmental agencies (again non-technical) and journalists. We adapted the slides in order to reduce the complexity and the technical details. The reaction was positive, but most of the questions were aimed at how to defend against the risks. Thus our reduction only lasted until the QA section. If you really want to defend yourself, you have to deal with the details. If you don’t dive into the details, you can give superficial answers at best.
Most security researchers speak to a technically minded audience. That’s great, and that’s how it is at DeepSec or any other conference. However if you really intend to fix a threat or to raise awareness of a wider audience, then you need to translate and to reduce. You have to focus on the bare bones of your advisory and find out how the vulnerability impacts the work or daily life of the person you are talking to. Running around yelling „The End is Nigh!“ won’t do, this has been done too often (especially after reading the news in the wake of a security conference). Simply recommending not to use a specific technology doesn’t work either. We know that traffic accidents happen, yet we cross streets every day. The same is true with the Web, e-mail, mobile phones and other conveniences we are used to. If you really want to turn your advisory into something meaningful for a wide audience or the general public, then you have to put some extra effort into it. In addition if you intend to start a discussion, make sure you define clearly what the discussion is about. There’s a lot of divided opinion going on (the crypto wars and the discussion about pseudonyms are examples, there are lots and lots more). Things can really go wrong if the issue reaches management level.
We’ll be expanding our research into this direction since we intend to address the strategic management with security issues and try to give non-technical persons a solid foundation to base decisions on. If you have thoughts on this matter, please get in touch.