The do’s and don’ts of writing in cybersecurity
As a lecturer at university and director of a cyber security practice, I read a fair amount of written material above and beyond the latest news article. As a result, I see a lot of good and bad writing, and I wanted to share a few do’s and don’ts in this space. Im sure theres more to this list, but it’s a reflection on the several hundred reports my team has generated and the volume of students I’ve had the privilege of mentoring.
The worst sin in cyber security is hyperbole, that is “exaggerated statements or claims not meant to be taken literally.” When writing in a space that is currently everyone’s emotional focus, introducing more drama into a space that has plenty of it due to the unknown does not assist in creating anything meaningful. Hyperbole in this space is characterised by adjectives and a failure of evidence or qualified statements, the unqualified is all too often taken literally (usually because some hipster has also employed “literally” as an adjective, verb and noun, often in the same paragraph) and coerced everyone to believe that which makes no sense but no one wants to call out the hyperbole for fear of harming the author.
frame the discussion around “ZOMG Hackers”
The framing around attacks and attackers emphasises too much of an embedded 90s cultural reference that only white kids in a basement can be evil, or that threats originate from a particular nation state. As attrition.org noted several years ago, squirrels have done more harm to critical infrastructure than all foreign adversaries combined, and Alex Stamos (former facebook CSO) noted in a talk that the biggest issue facing facebook was trust, confidence and psychological harm over explicit attacks from a nation state. Think outside the stereotype or someone else’s panic; it will ensure that a more complete picture can be developed.
The others I would add into here include:
- Copy verbatim from another document
- Use subjective language
- Turn your academic paper or report into an opinion piece (that’s what medium, twitter, reddit and chat rooms are for).
- make unqualified assumptions- explore all evidence, not just the one that agrees with your belief system
- Use the word cyber as a verb or adjective
- Use cyber when another term might be more appropriate (IE computer network)
- Make an unqualified statement or risk assessment
- Be verbose
- rattle off without a conclusion, or have a weak conclusion.
The ultimate attribute to cybersecurity writing is the application of fact, use of rhetoric and clear concise language for writing. This should be backed up by the following qualities:
have an overarching hypothesis or evaluation
You need to have a point or statement- cyber security is becoming a white elephant or self licking ice cream with no direction. without a stated purpose nested in technology and business requirements, cyber security as an industry has no purpose. Ensure your writing is on point and intends to communicate facts or persuade the target audience.
Use of structure
Structure supports the ability for a clear statement backed up by fact. Most human beings are reading more than ever; a structured approach will ensure that information is absorbed by the readers.
Other tips and tricks I would suggest include:
- Reread some time after the initial authoring, ideally printed on paper as part of your own quality assurance. A simple mistake can undo an entire paper.
- Be objective and communicate in the 3rd person- this is a personal preference, as it reinforces the less emotion and clarity item I’d discussed before.
- Know your audience. If your content does not appeal to them then it is of no use.
Finally, Back up a statement with 1s and 0s. To counter hyperbole and avoid the accusation of charlatanism or hysteria, backup your information with primary evidence, ideally in ones and zeros. If primary evidence is provided, it reinforces the statement and can be used to terminate arguments that are less factual.