Writing for Security: Making People Give a Damn

quillIf you really want your technical content to matter for people you have to appeal to their needs. There are primary needs like food, water, sleep, or sex, but it’s difficult to tie those things to malware analysis or threat intelligence reports. If you look to secondary needs you will find things like employment, resources, morality, family, self-esteem, confidence, achievement, and respect. Hopefully, a light bulb went off when looking at this list. If you really want people to care about your content you have to appeal to one or more of these things. Let’s dig into a few of them.

Employment, Achievement, and Respect

I want to lead with employment because it is the secondary need most tied to primary needs. Everyone needs to eat, and unless your Silicon Valley startup actually made it past the second round of funding you probably need a job to buy food for yourself and your family. If your writing can appeal to someone’s need for employment, they are going to care about it.

Tangentially related are achievement and respect, because everyone wants to achieve success in the workplace and be respected while doing it. These are grouped together because most believe that being well respected and achieving positive things will lead to further career success. In most places this is definitely true.

When you’re writing something, ask yourself if it will help someone get a better job or a higher salary in their current job. You may want to think it’s much more complicated than that, but it really isn’t. You may be a person who says “Chris, I’m not in this line of work for the money, so I can’t relate to that.” If you were being completely honest with yourself, you certainly wouldn’t do your job for free, or probably even for half of your current salary. You have to eat and you have to provide for your family and so does everyone else. If you can write something that helps your reader do that, you are appealing to primal psychological needs and people will gravitate towards that.

The best way to appeal to these needs is to provide an opportunity for meaningful action. That action will vary depending on what you’re writing, but here are a few examples:

Penetration Testing Report [You want the reader to fix a finding]:

  • An example of how a finding would be exploited so it can be independently validated and recreated.
  • A news story showing how a similar finding was attacked that can be used to justify the time/resources to fix it to management.
  • A detection signature that can be applied to a Snort/Suricata/Bro IDS so the user can detect exploitation if it can’t be fixed in a timely manner.
  • A list of log types that can be ingested by a SIEM if detective controls are a primary risk reduction strategy.

Threat Intel Blog Post [You want the reader to defend against this threat actor]:

  • A diagram showing the flow of the attack and where protective/detective controls could be applied.
  • Reference links to attacks conducted by this threat group that can be used to justify the time/resources to fix it to management.
  • A detection signature that can be applied to a Snort/Suricata/Bro IDS to that can be used to detect actor activity.
  • A listing of network and host based artifacts that the user can build into their own detection infrastructure and SIEM.

Alert Investigation Ticket [You want management to provide funding for bigger sensors]:

  • A timeline showing the flow of the investigation and areas where it was stalled due to lack of visibility to justify the ask to management.
  • A hypothetical description of how the investigation could have gone and how much time might have been saved if more data was available.
  • A list of the exact type of sensor you need along with a broad cost estimate.
  • A success stories from a colleague/peer who has the level of visibility you desire.

Forensic Report [You want the company to educate users on spear phishing]:

  • A diagram showing how an attacker was able to gain an initial foothold into the network by phishing a number of users.
  • Industry reporting on statistics of users who are susceptible to phishing.
  • Links to news articles of other breaches showing how phishing was a primary attack vector.
  • A guide explaining how the IT staff could conduct a phishing test with the user base to determine how vulnerable they truly are.
  • A list of vendors (or if you’re a vendor, a price quote) on performing an external phishing test.
  • Links to free or paid phishing awareness training programs.
  • A list of tips that can be e-mailed to all users within the company.

If you give the reader a chance to take action from your writing then you’re giving them the chance to achieve something and to gain respect from their peers and boss by doing it. Doing this in a way that truly empowers them is a bit of a balancing act, which we’ll talk about next.

Confidence and Self-Esteem

Nobody likes feeling stupid. If you write something with a lot of technical detail it’s probably a good thing, but if it goes so aimlessly in–depth that it goes over the head of most people reading it, they aren’t going to connect with you. Appealing to primary and secondary needs doesn’t matter if your reader walks away thinking they aren’t smart enough to do anything about the problem you present. That’s why it’s so crucial to go the extra mile. In infosec, your goal is usually to inform, but it’s frequently to persuade. If you want someone to head down a path towards a goal you must realize that the hardest step for them to take is the first. The more work you can do for the reader up front, the more likely they are to take that first step. This means providing actionable examples and step-by-step guides that get them moving. This is more work on you up front as the author, but readers don’t reward lazy writing.

If you provide a call to action that asks the reader to write 10,000 lines of code or change the entire culture of their corporation, they aren’t going to feel confident enough to act on it. There’s a place for that type of writing, but most of the time it shows laziness on your part for not going the extra mile to give them actionable techniques for getting started down whatever path your trying to get them to take.

Figuring out where to position your material can be tricky, but there are a few things to think about when writing it:

  • What’s the lowest common denominator you are trying to appeal to?
    You don’t have to dumb everything down far enough that someone with no experience should be able to get going, but you should assume that most of your readers aren’t as smart as you. If they were, why would they need to read what you’re writing?
  • What is something the reader can do today/tomorrow/next week?
    If you can phase out your action items over the course of time it makes it can make a larger task become less overwhelming. Even something as simple as downloading a tool or sending an e-mail is a step. If the reader can accomplish that step, they are going to build confidence and be more likely to accomplish the next step. It’s a snowball effect.
  • Where can the reader learn more about the concepts they need to make this actionable?
    If you are correctly assuming the reader isn’t as knowledgable about the topic as you are, then you need to do whatever you can to minimize that gap. If you want them to take action on something they don’t know much about, you absolutely must provide reference to resources where they can learn more. If you want a user to write a signature for a malware family, link or provide supporting information about the techniques the malware uses and the libraries it relies on. If you want a user to fix an XSS vulnerability in a piece of code, link or provide examples of different types of XSS protection and libraries that demonstrate different techniques.

If you read all of this and don’t think you need to go the extra mile because your writing is to inform and not to persuade, then I’d say you’re probably fooling yourself, or you’re a lazy writer. Both will result in content that isn’t appealing to your readers, and it will be forgotten.

Morality

One of the oldest debates in history is whether mankind is inherently good or evil. I’m certainly not going to solve that debate here, but I think it’s safe to say that you probably got into information security because you have some sense of right vs. wrong. In most cases, the network you are protecting or assessing represents good, and the real or hypothetical bad guys who want to steal something from it represent evil.

Whether it’s nature or nurture, most humans have a sense of morality from a young age. Whether you realize it or not, you’ve built archetypes of the good guys and the bad guys and in most cases you probably want to be the guy with the cape saving the day. This is important to consider when you write, because if you can tap into someone’s sense of morality then you are going to reach parts of the reader that most writing can’t touch.

I want to be clear on this that I don’t want you to start making moral decisions for someone. In our field, it’s ridiculously easy to stumble into a debate about things like privacy vs. security, and you probably aren’t going to change someone’s mind there. Furthermore, a lot of people enter a way of thinking in irrational ways. Cognitive psychology tells us that someone who enters a line of thought irrationally is not likely to leave that mindset because of rational though. The goal isn’t to manipulate someone’s sense of morality; it is to appeal to it by causing the reader to ask questions.

So what if there is a new piece of malware being used to attack agriculture companies? These companies are targeted all the time. Nobody is really going to care about that unless they work at one of the targeted companies who were affected. Now, what if you consider that the malware caused a significant financial loss that led to a Q2 earnings miss resulting in layoffs of hundreds of people? That changes things a bit. Because someone used the malware to attack this organization, real people were hurt, and the reader will ask themselves whether this is morally wrong. Again, your job isn’t to tell people it’s wrong. Your job is to get them to ask themselves where this action points on their moral compass.

Getting people to ask questions about the moral disposition of something isn’t always easy, and it often requires some digging. One method for getting to this point is by using the 5 Why’s method. Take a fact that you are writing about and ask yourself why it matters, then ask yourself why that matters. For example:

 

Hypothetical Fact: A government contractor was the victim of an attack, resulting in the theft of intellectual property

  1. Why does that matter? The attacks on the government contractor was linked to group X due to similar TTPs
  2. Why does that matter? Group X is comprised of operators believe to be North Korean
  3. Why does that matter? North Korean threat actors have attacked a number of western media outlets and government contractors and are advancing their capability
  4. Why does that matter? The North Korean government has expressed interest in harming western countries through advancing weapons technology
  5. Why does that matter? If North Korea succeeds, the consequences could result in conflict or war.

 

Hypothetical Fact: A newly discovered piece of malware redirects users to a site that scrapes their social media profile if they are logged into Facebook and harvests personal information

  1. Why does that matter? An unknown attacker could gain access to your personal information.
  2. Why does that matter? The attacker could use this personal information to obtain more information about you through social engineering or password reset questions.
  3. Why does that matter? The attacker could collect enough information to steal your identity
  4. Why does that matter? The attacker could cause significant financial loss or ruin your credit score, preventing you from being able to take out a loan on a car or home.

 

In both of these examples, I’ve presented scenarios that mirrors things you’ve probably actually read at some point,  and gone through a process to translate them into their core; things that should provoke questions of morality. Is it right/wrong for North Korea to start a conflict? Is it right/wrong for someone to steal your identity? In these cases both answers are probably pretty clear-cut. In a lot of cases it won’t be so obvious. The important thing is to get people to ask the question.

More on Writing

Writing is a lot more enjoyable when people care about what you’ve written. In the current security landscape you can’t go more than a couple of days without someone writing a blog post detailing the latest threat actor campaign or malware they’ve discovered. If you’re responsible for writing content like this, whether internally or externally, appealing to primary and secondary needs will guarantee that people care more about what you have to say.

If you’re interested in learning more about my personal systems for better technical writing, I’ll be releasing more articles in that area soon, as well as a couple of videos. You can subscribe to the mailing list below to get access to that content first, along with a few exclusives that won’t be on the site.

Sign Up for the Mailing List Here

 

Leave A Reply

Your email address will not be published. Required fields are marked *