One of the most difficult challenges we face working in cybersecurity is communicating to non-technical people just how immensely challenging it can be to “fully” protect our users from potential cyberattacks. It can be excruciating to impress upon some people why they have a part to play in preventing breaches and data loss. I’ve had people get righteously indignant with me over the notion: “How dare you demand that I take actions to secure the company network! That’s yourjob.” Breaking through that wall of well-meaning denial can be exasperating.
It doesn’t help matters that there’s a pervasive misunderstanding in modern society – at least here in America – that alltechnology-related functions fall under one technical specialisation, making all IT people blindly interchangeable. Project’s behind because you’ve lost a firewall admin? Throw a help desk tech onto the project! That’ll sort it! Don’t have anyone trained on the new SAP application? Bah, all applications are the same – get the PowerPoint trainer to sort it! My favourite example of this was the executive who demanded to know why we didn’t just “re-write Microsoft Windows” to stop its driver conflicts.
To be fair, it is natural for people to misunderstand how vast and nuanced a professional can be if you have no first-hand experience in the field. A key element in the Dunning-Kruger Effect is the idea that the less a person knows about a subject, the more qualified in that subject they believe themselves to be … thereby engendering a condescending dismissal of anyone qualified in the field who attempts to set them straight. I get how and why this happens.
Of course, it doesn’t help that popular culture and media love to oversimplify complex activities for the sake of narrative efficiency. Probably the most infamous of these events in recent memory was a one-minute segment from American police procedural drama NCIS where two protagonists attempt to thwart a remote network hack by … sigh … simultaneously typing … something … on the same keyboard … together. Like they were mind-melded, and used twenty fingers to accelerate input on a keyboard designed for the traditional ten. Jared Jones from KnowTechie has a description and the entire scene here. This lunacy must be seen to be believed.
Anyway, this sort of abstracted-to-the-point-of-lunacy scene writing is depressingly normal in books, television scripts, etc. I understand why it happens; a writer needs to condense a scene involving technology into a plot point that a non-technical audience can quickly grasp so that they can get back to what’s really important: car chases, witty romantic banter, or whatever. I can empathize with the need to reduce technobabble when you have a hard budget for word count, page count, or minutes of airtime. I also accept that the supporting nerd characters are just there to solve plot complications via “Internet magic.” That’s … fine.
This same over-abstraction affects games as much as it does TV shows and spy novels. I was reading a new game rulebook over the weekend based on the science fiction paintings of Swedish artist Simon Stålenhag. His artbook Tales From the Loop– a creepy vision of a 1980s that never happened – was turned into an excellent table-top role-playing game by Fria Lagen AB. They delivered an entire playable world true to the creepy retro-future technological aesthetic expressed in Simon Stålenhag’s illustrations.
The Tales From the Loop RPG is meant to be a fast-paced, relatively simple game that plays like an episode of Netflix’s crown jewel series Stranger Things. That is to say, a “mystery” in TFtL – what other TTRPGs call an “adventure” – should be paced quickly, jumping from mundane, banal scenes of everyday life in the 1980s to exciting or terrifying scenes featuring robots, monsters, peril, and mad science. Pacing and atmosphere are crucial to making a TFtL game come alive.
To that end, Fria Lagen game designer Tomas Härenstam crafted an elegantly abstract rules system. The players all control 1980s children, defined by a short list of archetype, attributes, and skills. Tomas used only four attributes (Body, Tech, Heart, and Mind) with three related skills each. For the “Tech” attribute, the related skills for solving every computer problem imaginable are:
- TINKER is the ability to build and manipulate machines and other mechanical items
- PROGRAM is the ability to create and manipulate computer programs and electronic devices
- CALCULATE is the ability to understand machines and other technical systems 
That’s it. In a world filled with artificial intelligences, flying ore freighters, walking robots, time travel, and the occasional confused dinosaur, all of the technology-based challenges can be overcome with just three skill families. Need to defeat a security door with a key code system? Succeed on a tinker roll. Need to realize your favourite transforming robot toy is secretly harbouring part of an escaped AI? Succeed on a calculate roll. Need to fix literally any computer system ever, including a classified military supercomputer made with alien technology? Succeed on two program rolls (one success for the computer part, and a second to deal with the alien bits).
Is that realistic? Of course it isn’t! it’s not intended to be. TFtL isn’t a gritty, realistic simulation of real life; it’s a fast-paced, simulation of popular television shows, movies, and comics. If you always wanted to be part of Steven Spielberg’s 1985 hit adventure movie The Goonies, you can replicate the entire story beat-for-beat in TFtL. If you’re captivated by James Tynion’s new horror comic series Something is Killing the Children, you can run your own adventures in that grisly world using the TFtL game engine. It’s flexible and adaptable because it’s simple enough to stretch as needed to address every dramatic plot beat that a mystery writer might introduce.
That’s what struck me as I read my Tales From the Loop gamebooks over the weekend. I’ve been grappling with how to redesign some cybersecurity training products for several weeks and have been struggling to find better ways to better reach those students who don’t appreciate how their non-technical actions can truly matter in a world of high-tech cybercrime. It’s the “Who cares if my password is long enough when hackers have [thing I saw in an adventure movie] technology?” problem.
Reaching those people is critical if an organisation is going to effectively protect itself against exploitable mistakes. Cybercriminals don’t need zero-day exploits or military surplus cyborg dolphins to break into corporate networks. Heck, they wouldn’t even use such expensive and complicated kit if they had it should an easier way in present itself. Criminals prefer the simple and reliable approach. Why climb up the outside of a glass skyscraper in the rain at 3 am to break into a data centre when you can walk through the front door at 3 pm with an engraved invitation while your victims hold the door open and offers you a beverage? Exploit the opportunities to do things the easy way!
That’s what sloppy security hygiene habits provide: opportunities. Leave your computer unlocked? Hold doors open for strangers? Use your cat’s name for all your account passwords? Those simple, low-tech errors give criminals the engraved invitations they need to waltz right past all of your company’s highly sophisticated and technologically incomprehensible defences. The little things really do matter when it comes to preventing breaches. You don’t have to be a programmer or engineer to play an essential role in keeping the bad guys away. You just have to follow security hygiene protocols consistently. There’s no “AI-augmented cloud Solution-as-a-Service” gizmo that can protect the company against an unwitting insider.
But, then, we get back to the problem of convincing non-technical people to own their role to play in protecting the enterprise. It makes sense that they’d blow us off. Consider their perfectly logical worldview:
- Everyone who works in cybersecurity is an expert in the SECURITY skill. They all know it to varying degrees and use SECURITY to solve every conceivable problem that might arise using super high-tech gizmos.
- I myself do not have any skill points in SECURITY. I just use a PC and a phone. I didn’t put points in SECURITY during character creation or levelling up, I can’t attempt any tasks that require proficiency in the SECURITY skill.
- Therefore all that “security” stuff isn’t relevant to me and I needn’t be bothered paying any attention to it.
- Oooh! What’s this email about my Apple Music account being cut off if I don’t validate my account?! I’d better click this link immediately and get this sorted …
It’s that complete misconception about how skill affects security that messes everything up for everyone. Yes, security professionals often possess rare and specific skills; that doesn’t mean that there’s a single skill family or ability that covers allof cybersecurity. Most of security doesn’t involve much in the way of technical acumen or engineering skill at all; it more a matter of perception, scepticism, discipline, and basic computer literacy. Things that everyone in the office can – and must! – do every day to keep the baddies at bay.
Convincing people that is darned difficult. It’s comforting to believe that you’re completely off the hook; that it’s all someone else’s problem because you don’t have some mysterious arcane knowledge or training. Being held responsible for essential security practices is disquieting and stressful. Yet here we are … just like we were when computers were new … back in the 1980s that really was. There really was a time when computer users might as well have been wizards for how rare their skills were … but that period ended when PCs became a commodity, popping up in most every home, school, and office. We’re long past the time when technology – and the measures required to secure it – was the exclusive domain of incomprehensible academics.
One last note: I didn’t realize that Tales From the Loop had been turned into a television drama on Amazon Prime until I started writing this column. Now I know what I’m doing next weekend. I’m curious to learn how the writers approach the problem of keeping a kid-centered story fast-based in technology-centered alternate 1980s without resorting to having every character be a master programmer, engineer, astronaut, and theoretical physicist at age 10 … like our users sometimes expect us security professionals to be.
 I’m quoting directly from page 59 of the core rulebook here.
Pop Culture Allusion: Nathaniel Halpern, Tales From the Loop (2020 television series)