Infosec glossary as an awareness tool
By coincidence, two of the professional groups/discussion forums I frequent have both been discussing terminology today.
It takes a particular personality type to enjoy discussing terminology, in depth. It requires both tight focus and a broad appreciation of the field. It helps to be well-read, since terms and concepts generally emerge from study or research that may be obscure. It helps also to be open-minded, since terminology is one of those things that fires-up experienced and knowledgeable colleagues: the passion is almost palpable! I'm not at all worried about being "put straight" by respected gray-beards - we all give as good as we get, part of the cut-n-thrust of professional discussion.
Some might consider us anally-retentive.
On the other hand, the information content of language is critically dependent on the meanings, interpretations and implications of the words we use. In relatively new and complex areas such as information security, misunderstandings and confusion stemming from limited or inappropriate vocabulary can be inconsequential, mildly annoying or problematic, depending on the context. On top of that, language evolves naturally as a consequence of how it is used in social intercourse. There is plenty of wiggle-room.
Anyway, today we've been discussing the meaning of about a dozen core terms of art in the field of information risk and security. Although I don't intend to expand on the definitions and discussion here, it's a chance to raise a more general point about awareness and training.
Explaining terminology is an important part of any decent awareness program or training course. It helps set the scene for both the audience and the authors/presenters/trainers. It differentiates relatively superficial from more in-depth approaches - the former gloss over the details anyway.
We maintain an extensive information security glossary, updating and re-issuing it every month in the course of developing each batch of awareness content. Any specialist terms used in the definitions are hyperlinked to their own definitions, making it interesting (fun even!) to follow one's nose from term to term, hopefully discovering and learning new stuff along the way. It reminds me of the joys of browsing dictionaries, encyclopedias and most of all Roger's Thesaurus when I was young (yes, a long, long time ago, pre-Google, when we thumbed through reference books made of a substance known as paper).
At the same time, I'm not a professional lexicographer. The glossary is a valuable working tool, not a formal academic treatise. We quote numerous "official" definitions from various "official" sources such as ISO/IEC 27000, but in most cases we add our own pragmatic definitions - particularly when the formal ones are too obscure, narrow or plain misleading for our purposes.
Here's a tiny extract to demonstrate its style:
I added "Actuary" today, in connection with August's awareness topic, cyberinsurance. Along with other terms relevant to cyberinsurance, it is picked out in red. In the definition, "data" and "risk" are underlined hyperlinks to their respective definitions ("risk" is pink because I've followed that hyperlink to check and update the definition, following today's exchange on the forums).
Some of the definitions (such as that one for activist) are a little tongue-in-cheek because they amuse me, and hopefully those little nuggets of humor spur-on the intrepid reader who has the interest and the stomach to browse an information security glossary. Our aim in awareness is not just to educate or inform, but to entertain and engage - a delicate balance.
The whole thing is now a little over 300 A4-pages, defining over 2,000 terms with over 80,000 words in total, growing a further page or two most months. If you'd like a copy, download the PDF for about the price of a cup of coffee.
It takes a particular personality type to enjoy discussing terminology, in depth. It requires both tight focus and a broad appreciation of the field. It helps to be well-read, since terms and concepts generally emerge from study or research that may be obscure. It helps also to be open-minded, since terminology is one of those things that fires-up experienced and knowledgeable colleagues: the passion is almost palpable! I'm not at all worried about being "put straight" by respected gray-beards - we all give as good as we get, part of the cut-n-thrust of professional discussion.
Some might consider us anally-retentive.
On the other hand, the information content of language is critically dependent on the meanings, interpretations and implications of the words we use. In relatively new and complex areas such as information security, misunderstandings and confusion stemming from limited or inappropriate vocabulary can be inconsequential, mildly annoying or problematic, depending on the context. On top of that, language evolves naturally as a consequence of how it is used in social intercourse. There is plenty of wiggle-room.
Anyway, today we've been discussing the meaning of about a dozen core terms of art in the field of information risk and security. Although I don't intend to expand on the definitions and discussion here, it's a chance to raise a more general point about awareness and training.
Explaining terminology is an important part of any decent awareness program or training course. It helps set the scene for both the audience and the authors/presenters/trainers. It differentiates relatively superficial from more in-depth approaches - the former gloss over the details anyway.
We maintain an extensive information security glossary, updating and re-issuing it every month in the course of developing each batch of awareness content. Any specialist terms used in the definitions are hyperlinked to their own definitions, making it interesting (fun even!) to follow one's nose from term to term, hopefully discovering and learning new stuff along the way. It reminds me of the joys of browsing dictionaries, encyclopedias and most of all Roger's Thesaurus when I was young (yes, a long, long time ago, pre-Google, when we thumbed through reference books made of a substance known as paper).
At the same time, I'm not a professional lexicographer. The glossary is a valuable working tool, not a formal academic treatise. We quote numerous "official" definitions from various "official" sources such as ISO/IEC 27000, but in most cases we add our own pragmatic definitions - particularly when the formal ones are too obscure, narrow or plain misleading for our purposes.
Here's a tiny extract to demonstrate its style:
I added "Actuary" today, in connection with August's awareness topic, cyberinsurance. Along with other terms relevant to cyberinsurance, it is picked out in red. In the definition, "data" and "risk" are underlined hyperlinks to their respective definitions ("risk" is pink because I've followed that hyperlink to check and update the definition, following today's exchange on the forums).
Some of the definitions (such as that one for activist) are a little tongue-in-cheek because they amuse me, and hopefully those little nuggets of humor spur-on the intrepid reader who has the interest and the stomach to browse an information security glossary. Our aim in awareness is not just to educate or inform, but to entertain and engage - a delicate balance.
The whole thing is now a little over 300 A4-pages, defining over 2,000 terms with over 80,000 words in total, growing a further page or two most months. If you'd like a copy, download the PDF for about the price of a cup of coffee.