Information Security 28/11/2018

Metaphors considered harmful?

An exploratory study of the effectiveness of functional metaphors for end-to-end encryption.

Albesa is currently an Information Security Intern at G-Research. Below, Albesa shares a summary of a paper she published on USEC Workshop Proceedings website.

The purpose of cryptography has expanded from benefiting primarily the military to securing systems for the general public. Research and a countless number of breaches show that people do not use encryption sufficiently and fail to understand the security benefits which encryption provides. This isn’t much of a surprise, considering that current descriptions used to explain encryption to people are overly technical and require domain knowledge to be understood.

The same way people don’t need to know how an engine works in order to drive a car, they also don’t need to know exactly how encryption works to be able to use it. Therefore, together with some colleagues (Jonathan Spring, Ingolf Becker, Simon Parkin and M. Angela Sasse), we decided to study this issue and explore whether we can come up with some relatable metaphors for end-to-end (E2E) encryption. We focused on metaphors that cue functional mental models. Such models provide understanding of certain properties of the system (i.e. E2E-encryption) which are necessary to complete a real-life task such as encrypting your messages on WhatsApp.

In order to create jargon-free metaphors, we analysed 98 interview transcripts collected in a study about secure communication. We got familiar with participants’ descriptions of E2E-encryption and although the majority were technically inaccurate or incomplete, they were useful in providing examples of lay language for describing encryption.

Through a careful and systemized method, we managed to create five new metaphors for explaining E2E-encryption in lay language. In a survey, we then tested these metaphors and compared them to currently used descriptions. Based on the statistics conducted, results show that although our new metaphors do not necessarily improve people’s understanding of E2E encryption, they harm their understanding less than currently used descriptions. Results also show that metaphors directly derived from participant language rank better than the rest.

In conclusion, creating metaphors for E2E-encryption is very challenging. A more useful alternative may be the use of longer descriptive metaphors or focusing on concrete tasks that a user must complete on a device. However, continuing to direct technical jargon towards lay people is certainly not doing anyone any favours. In order to help people benefit from encryption and become more secure, their mental models must be taken into account.

If you want to read the full paper, click here (it’s not a phishing scam, I promise).

Albesa Demjaha

Stay up to-date with G-Research

Subscribe to our newsletter to receive news & updates

You can click here to read our privacy policy. You can unsubscribe at anytime.