The language of information security

[Harold Schiffman]

The language of information security

- Luther Martin

English is one of the few languages that's almost universally used in
the business world, and it is not uncommon for it to be used as the
common language of business communication between speakers who have
different native languages. It also seems to be the language of
information security, and more often than not you'll even hear English
terms like "cryptography," "intrusion detection" or "access control"
used in conversations that are otherwise conducted in French, Spanish,
Chinese, or many other languages. Not surprisingly, the discipline of
information security also shares other features of the English
language.

English is easy to learn but difficult to master. Over 70 percent of
aviation accidents are caused by a lack of communication, so the
International Civil Aviation Organization (ICAO) has required that all
civilian flight crews, air traffic controllers and station operators
attain a significant proficiency in English by 2008 to ensure that a
common way to communicate is shared by all workers in civil aviation.

Language is strongly tied to our sense of national and cultural
identity, so people tend to be very sensitive to issues of language
use and policy, and the broad international agreement to require
English in civil aviation shows that it is a very pragmatic choice for
this, and ease of learning it is one of the main reasons why it was
chosen by the ICAO. The English used by aviation workers is a subset
of English, and is perfectly adequate for air-to-ground
communications, but it's not really suitable for more routine tasks
like ordering dinner. A richer structure is needed for that. An even
more complicated version is needed to accurately communicate
complicated technical concepts, and English also does well in that
respect. On the other hand, that level of understanding is also much
more difficult to attain.

English probably has more words than any other language in the world,
so that almost any subtle shade of meaning has a word that describes
it. The Oxford English Dictionary has complete entries for 171,476
words that are currently used as well as an additional 46,156 words
that are considered obsolete. This large number of words makes it is
almost impossible for anyone to learn all of them, making English easy
to learn but difficult to master.
Learning enough information security to attain a CISSP certification,
for example, may be somewhat challenging, but may actually be easier
learning the subset of English used by civil aviation - the typical
candidate for a CISSP certification probably spends fewer hours
preparing for their exam than the typical language student takes to
become fluent in English to the level required by the ICAO.

Similarly, while it's easy enough to learn the basics of cryptography,
for example, at least to the level needed to use it or to support
products that use it, but to really understand exactly how
cryptography works and why it's secure if it's correctly used is a
daunting task, particularly with the complicated mathematics that
forms the basis for public-key cryptography. Other parts of
information security may not require the extensive background in
mathematics that cryptography does, but they are still just as
difficult to master.

English is also essentially unique among modern languages because it
rapidly adopts foreign words, quickly making them its own. English is
a Germanic language, and is closely related to German, Dutch and
Norwegian, sharing a common history as well as a similar grammar with
these languages. Despite this, only 25 percent of the vocabulary of
English comes from Germanic languages, and the remaining words were
adopted from other languages over time. The biggest contributors have
been Latin and French, each providing over 28 percent of English's
vocabulary. Greek has even contributed roughly five percent, and
dozens of other languages have contributed smaller amounts.

Information security shows a similar voracious appetite for other the
material produced by a wide range of academic disciplines. Much of the
understanding of modern networks and how to make them secure comes to
information security from mathematics, computer science and
engineering. But because it's also important to understand the
decisions that users make to and the business context of security,
information security even borrows freely from psychology, economics
and risk management.

English has also changed significantly over time, and while a fluent
speaker of English will probably find the 600-year-old version of the
language used by Chaucer in The Canterbury Tales fairly difficult to
understand, they will probably find the 1000-year-old version of the
language used in Beowulf totally incomprehensible - English has
changed too much over the past 1000 years so that the older version
might as well be a totally different language from the point of view
of a modern speaker. English continues to evolve, of course, and
future speakers of the language will probably find the version that we
use today to be totally incomprehensible in a few hundred years.

Information security also changes over time, and much more quickly
than languages evolve. As new information technologies are invented
they bring with them a new set of security vulnerabilities, so that an
IT environment that was reasonably secure 10 years ago would almost
certainly be inadequate in today's environment. Fortunately,
information security has also adapted to the new threats, so that it's
still possible to keep a reasonable level of security, although the
security technologies that are used to make this happen are as
different from those of 10 years ago as the language of The Canterbury
Tales is from the language that we speak today.

Future threats will probably continue to drive the evolution of
information security and before too long, the technologies that were
used in the early 21st century will seem as archaic as the language of
Beowulf. But the same flexibility and adaptability that has made
English the language of business, aviation and information security
will probably let the discipline adapt to any new threats, so that
future IT environments will still be reasonably secure, although they
may look very different than those of today.

http://superconductor.voltage.com/2008/08/the-language-of.html


-- 
**************************************
N.b.: Listing on the lgpolicy-list is merely intended as a service to
its members
and implies neither approval, confirmation nor agreement by the owner
or sponsor of
the list as to the veracity of a message's contents. Members who
disagree with a
message are encouraged to post a rebuttal. (H. Schiffman, Moderator)
*******************************************