Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Choose the right metaphor

I’ve been reading a fascinating paper by Julia Slupska – “War, Health and Ecosystem: Generative Metaphors in Cybersecurity Governance” – that looks at how the metaphors we choose for Internet (in)security limit the kinds of solutions we are likely to come up with. I was reminded of a talk I prepared maybe fifteen years ago where I worried that none of the then-current metaphors for the Internet seemed to lead to desirable outcomes: “Information Superhighway” (seven deaths a day acceptable), “Wild West” (get a bigger gun), and so on. But Slupska – who, unlike me, knows the theoretical background – has her eye on things of greater significance: whose role it is to address the problem and what a “successful” outcome looks like.

The most common metaphor seems to be “cyber-war”, either explicitly or implicitly through terms like “battlefield”, “enemy” or even “Geneva Convention”. These constrain us to thinking of “solutions” that take place between nation states, and involve the “defeat” of some enemy. Any de-escalation must be mutual. At the opposite extreme “cyber-hygiene” places the burden almost entirely on individual behaviour, which seems to be taking things too far in the opposite direction. Intermediate metaphors seem more fruitful: “cyber-ecosystem (environment)” and “cyber-public health”. Both assign roles to nation states, the private sector and individuals, and seek to mitigate, though perhaps not to eliminate, a global threat. Both seek to create mutually-reinforcing incentives though without being entirely dependent on concerted action.

Both seem useful, but I detect a slight preference for the environmental metaphor, partly because global discussions have been going on longer so the framework may be more developed. In particular there’s a fascinating observation that environmental discussions can cope with disagreement, or some parties stepping outside the system entirely. Within an environmental metaphor unilateral action can make sense, even be beneficial: adopting stricter standards for your own industries may give them an economic advantage when others are finally forced to catch up. Here the parallel is explicit with vulnerability disclosure: a “warfare” metaphor makes you much more likely to hoard vulnerabilities in the “enemy’s” systems, an “environmental” one lets you consider whether the (direct or indirect) benefit in fixing your own systems might actually be greater. Maybe we should be talking about a “digital Paris Agreement”, rather than a “Geneva Convention”.

Now go and read the paper

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *