Helping Users Understand Cybersecurity: Availability Becomes Reliability

Last week I explained how I thought that “Accuracy” was a better term than “Integrity” when we are communicating with users. The week before that, I said that “Privacy” is a better term than “Confidential”. This is part of my wild idea for replacing “CIA” with “PAR”. Privacy, Accuracy, and Reliability.

What Does “Available” Mean to the Typical User?

I think that “Available” is OK, as far as it goes. It seems a little casual to me, sort of “It’s there if you want it” but not specifying that it definitely will be there.

And, mere availability is just the start.

Meeting Expectations

Learning Tree’s System and Network Security Introduction course has a very nice summary of what information security could mean. It includes the following:

… and the system behaves the way you expect.

Yes! Availability plus predictable behavior. “I will be able to do calculations, and when I do, 2 plus 2 will always equal 4.”

Or, that the network will be up, and providing at least some minimum level of performance.

Software design considers the Principle of Least Astonishment. A well designed system will behave as you expect it to.

Users shouldn’t need much explanation. If you can’t easily figure out how to use a system, or if you are surprised by its behavior, then that system is poorly designed.

The Case of the Mysterious Document

I recently taught Learning Tree’s System and Network Security Introduction course. One of the students needed me to fill out an SF-182 (Standard Form 182 of the U.S. Office of Personnel Management).

The student sent me email with an attached PDF file, asking me to complete and sign Section F at the bottom of page 2.

I saved the attachment to a file, then opened it with a PDF viewer. Page 2 was partially filled in but all of Section F was blank. I printed just that page. I printed my name and contact info, then signed where indicated. Then I scanned that sheet and replied to the email with that scan as an attachment.

I quickly received a reply. The student complained that I had changed things I shouldn’t have. Learning Tree names and addresses were in inappropriate fields at the top of the page. No, I hadn’t.

I had looked at the PDF file with KPDF, part of the KDE desktop environment. Now I examined the original with Xpdf and Okular. It looked the same in all of them.

I had been working to that point on my OpenBSD laptop where I do all my email. Adobe doesn’t provide anything for OpenBSD, so I copied the file to a Linux workstation.

Ah. With Adobe Reader, I now see the expected content. (By the way, Adobe dropped support for Linux in 2014 but you can still install the old RPM package files on current distributions)

The file had not changed. The file always contained multiple versions of the content. What you see (and print) depends on the tool!

This literally violated the Principle of Least Astonishment for me.

I printed the appropriate version as seen from within the long unsupported Adobe environment, signed it, scanned it, and mailed back the result.

The Case of the Ambiguous Numbers

Someone at Learning Tree sent an email to all the instructors. The message had the following literal content (except I have changed the original numbers):

In case of a travel emergency,
call 1-866-555-1110<tel:1-800-555-4924> and ...

I am interested in information security and I don’t like spam. So I have Thunderbird configured to display email content as literal plain text. So, I saw the above. I had no idea which number to call in an emergency.

If I click View | Message and pick HTML, I see the first number blue and underlined:

In case of a travel emergency,
call 1-866-555-1110 and ...

Hovering the mouse over the underlined phone number shows the other number as a link.

Several messages went back and forth before things were finally sorted out.

Let’s Use Helpful Terminology

Catchy slogans and acronyms can be nice, if they help. If they get in the way of communication, we must replace them.

“Available” is OK, as far as it goes. Something will be available.

However, we need that something to be useful. Something we can count on.

“Reliable” is better.

Will I Insist on “PAR” Instead of “CIA”?

No. I know that “the CIA triad” is entrenched. I did not expect to convince you to change your terminology.

But did I make you think about this? I hope so! That was my intent.

We’re stuck with “CIA”. However, it’s not an ideal description. We must carefully explain what’s important, and what’s needed, to the users on the front lines.

We now return you to your normal cybersecurity universe.

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.