When it goes well, explaining security concepts to coworkers, friends, and family is one of the best parts of being in the security industry. It helps others make more risk-aware decisions, reduces 'inarticulate tech geek' stereotypes, and enhances soft-skills. Unfortunately, explanations do not always go well. Audiences need to be in the right state of mind to receive information, and even then, being overly technical or longwinded will quickly turn them into conversation captives looking for an escape route. The following three analogies are the most powerful tools I’ve found for maintaining listener interest when explaining security concepts.  

Healthcare

In healthcare, the most successful treatment plans are tailored to an individual’s diet, environment, genetics, and personality. Similarly, the most effective security programs are tailored to a company’s resources (diet), industry (environment), processes (genetics), and culture (personality). This makes healthcare analogies a great way to explain:

• How maintaining a healthy security program helps avoid catastrophic events
• How to approach incident/emergency response processes
• How a solution for one company may not be as effective at another company
• How security responsibilities are defined across an organization

 

Housing

Housing protects our privacy, possessions, and psyche. Whether owned or rented, we customize our spaces to protect our family and to address day-to-day needs as efficiently as possible. Because of this, housing is a fantastic way to describe:

• How access controls and at-rest encryption work to protect assets
• How to best prioritize security projects
• How to approach on-site vs. off-site decisions
• How security measures and adverse events impact cyber-insurance

 

Transportation

Trains, planes, ships, and automobiles get people from point A to point B, and most of us are familiar with the various rules and laws that protect us when traveling. Similarly, a core function of IT environments is to securely move data from place to place, making it a terrific way to illustrate:

• How in-flight encryption, proxies and DLP work to protect assets
• How endpoint security measures interact with network security measures
• How tradeoffs between speed and security work for projects, data, and processes
• How some controls reduce risk, while others are little more than security theater

  I’ve found the above analogies to be my most powerful tools for explaining security concepts in a broadly applicable, highly relatable, memorable, and succinct way. Weave them into your explanations to help turn former conversation captives into security champions.