The aphorism “It’s better to remain silent and be thought a fool …” is counterproductive in the era of existential cybersecurity threats. We need to train our people that asking questions will get them rewarded and protected, not embarrassed and shunned.
One of the important human factors that we have to consider in Security Awareness is that people will go to great lengths to avoid being embarrassed. Many people find being publicly embarrassed more distressful than being physically injured. I know this may seem obvious. I’m bringing it up because it matters and it impacts both how effective your security training programmes are and how quickly your people’s skills will improve.
As a practical example, I made a minor fool of myself on Twitter recently when I stumbled over a term that I thought I understood (narrator voice: he didn’t). Interwoven into my usual feed of security experts’ comments was a thread discussing some sort of political scandal involving “tankies.”  I’d never heard that word before; I thought that it was a British English variant on the American military slang word tanker.
For context: I served in an armoured division when I was a teenager. To us squaddies (another, similar, bit of institutional slang), “tankers” were the armour corps crewmen  who operated the M-60 Patton main battle tanks. They, in turn, called the infantry and support soldiers who rode into battle alongside them “grunts.” Those terms stuck.
When I transferred to the U.S. Air Force after 12 years of soldiering, I learned that “tankers” in the USAF were aircrew who flew and operated aerial refuelling planes like the KC-135 Stratotanker. I spent the last half of my military career in an airlift unit where the fliers used “tanker” less as an insulting nickname and more as a mission differentiator. “Tankers” were simply a different way to move troops and cargo.
I always preferred flying on KC-135s. Our unit’s C-130s were slow and had a bumpy ride.
The trouble was, my Army-conditioned brain internalized “tanker” as meaning “person driving a tracked ground combat vehicle” and had a lot of trouble making the switch to “person operating a flying petrol station.” Every time my airmen made an offhand “tanker” reference, I had to reset my understanding of the sentence to reflect their intended meaning.
Those definitions came to mind when I read the political Twitter thread. Knowing that I already had a blind spot when it came to “tanker,” I figured that “tankie” (in the context of the Twitter conversation) must be about some UK armoured corps soldiers or RAF refueller folks who must have said something politically controversial. Considering that nearly half of the UK pundits that I follow on Twitter have strong opinions about BREXIT, this seemed plausible. Military folks have political opinions just like everyone else.
The thing was, two of the commenters in the discussion voiced scathing comments about “tankies” that referenced extremist political views. That seemed … very odd. The military people that I served with tended to have strong political opinions but rarely ever held extremist views. Real extremists were usually dismissed from service for discipline problems, unreliability, etc.
Even though the political discussion didn’t directly pertain to me, and I had no reason to interject myself into it, something about the way the word “tankie” was being used in the discussion bothered me. I thought I understood what it was intended to mean from the context of my prior personal experiences. I considered adding it to my list of current, acceptable British slang and maybe throw it in to a future column. Before I did though, I wanted to be sure that I understood its meaning correctly. So, I swallowed my dignity and asked some of the commenters to confirm my hypothesis.
[Narrator Voice} He did not.
As it turned out, I was dead wrong. More importantly, I learned that using the term interchangeably with the US military version of “tanker” would have been an awful mistake. According to one helpful Tweeter (Twitter-er?), a “tankie” is defined as “… an apologist for the violence and crimes against humanity perpetrated by twentieth-century Marxist-Leninist regimes.” I learned that this UK slang term uses the exact same root word as my Army slang term (i.e., “tank,” meaning big armoured military vehicle) but applies it in a wholly different light. The terms are not functionally interchangeable.
I was red-faced with embarrassment over my error but that was a small price to pay for understanding the distinction before I made a more serious mistake. Possibly a mistake that brought disgrace on my writing, my publisher, my employer, and my former armoured corps mates. I like sharing inspirational and instructional stories from my military days, but I absolutely do not want to veer into incendiary political topics, either deliberately or accidentally. So … yes. In retrospect, I’m very glad that I asked.
The thing is, I almost didn’t. I wasn’t comfortable interrupting some strangers’ heated conversation that I had naught to do with. It would have been socially safer to just assume I understood and hope for the best. That’s human nature, and it’s one of the challenges that Security Awareness teams need to address every day.
No one wants to appear ignorant, especially in public. At the same time, our discipline uses terms, phrases, acronyms, and slang not familiar to our non-security colleagues. In our zeal to teach, we can inadvertently overwhelm our people with terms that we are familiar with but that our non-technical users are not. Our students might pick up enough from context to get a rough idea of what we’re saying. Maybe. They might also be too embarrassed to ask for clarification. It takes a brave person to look foolish in a group and ask questions like “what’s an e-mail header?” or “why is ‘HTTPS’ considered secure?”
Concepts that we take for granted can seem arcane and complex to highly-intelligent people. We’re not smarter than anyone else. We’re just trained in a specific technical profession.
The thing is, we need those questions. If one person isn’t completely sure of the correct meaning of a word, term, or phrase, then it’s likely that others also aren’t sure but didn’t speak up. That’s dangerous for everyone, since security is a discipline where ambiguity, misunderstanding, and errors can cause irreparable harm. We need every one of our colleagues to become as security-savvy as possible. We need our colleagues to become technologically and operationally sophisticated. We can’t achieve that goal if we allow our colleagues to labour under misunderstandings or not take corrective action until after a preventable error manifests.
For that to happen, security professionals need to create an environment where people feel free to ask questions without fear of social censure or embarrassment. We must change our company culture to one where inquiry and exploration are actively encouraged. We must engage our colleagues with respect and enthusiasm so that their desire to understand our language trumps a fear of being mocked or shunned for appearing foolish.
 If you know the reference, please hold your laughter.
 U.S. combat arms branches (i.e., infantry, armour, artillery) hadn’t been opened to female soldiers yet.