Brianne Hughes talks about The Cybersecurity Style Guide

Brianne HughesHistorical linguist Brianne Hughes is one of the compilers of The Cybersecurity Style Guide. As a technical editor for Bishop Fox, she works on client reports, internal resource development, and ongoing consultant training.

CMOS: What’s the story behind coming up with a style guide for cybersecurity?

BH: Through freelance work in many genres, I’ve learned that every niche of editing has its own universe of vocabulary.

There is always a period of adjustment for editors to learn which strange-looking terms are normal in each context and which are fishy. I found that when I began working for Bishop Fox, I was querying too much. That period of adjustment took much longer than normal. I learned that the terms in use had not been standardized (e.g., pen testing or pentesting); many common terms had a unique technical sense (e.g., deprecate and exercise); and some shorthand terms did not appear like valid nouns to me (e.g., string literal and signed long). I needed help. Through this position, I had access to experts in the field, so I started asking consultants about their pet peeves and common confusions, and I wrote down the consensus, report by report.

Bishop Fox, Cybersecurity Style Guide, copverThe Cybersecurity Style Guide has brought consistency and transparency to the editorial department and the company as a whole. This has lowered frustrations on all sides by resolving questions about pronunciation (a SQL vs. an SQL) and capitalization (DOS vs. DoS) that often come up in reports. Now we can spend more time helping our writers craft their summaries and fortify their narratives. After realizing that this confusing terminology is an obstacle to informing the public about important security issues, we decided to share our findings with the internet as a free PDF.

CMOS: What were some challenges in creating the guide?

BH: A giant challenge of this guide was deciding who and what to appeal to for authority. Unlike other industries that build on older works that are standardized through publishing, many innovations in cybersecurity have come from individuals and small companies who have named and spelled their projects arbitrarily, focusing on the features rather than the appearance of their tools and exploits. For example, I was taken aback to learn that the creators of JSON and Snyk do not have a definitive opinion on how to pronounce the names of their creations.

We chose to use a combination of internet research and asking consultants what sounded right to them through internal polls in our company chat room. Sometimes I would ask how to write a term and immediately learn that there was one solid answer. More often, though. I’d ask how to pronounce a term, and someone would respond that they’ve never considered that before.

This is partly because language is in an amazing moment right now where many words are written first and only spoken later. Book-learned words like epitome and sidereal are often read first and spoken later, but they are eventually corrected by society to line up with the common pronunciation.

However, there are no “correct” pronunciations for digitally born words, which is why there is much debate about how to pronounce GIF and SQL and doge. There are few definitive answers, so the style guide records the common variants that are more widely understood to help newcomers avoid confusion and embarrassment.

CMOS: The guide is like a glossary, in alphabetical order. Tell us something about the process of organizing the entries.

Spelling list for the nouns filename, file paths, file share, file size, filesystem, and file typeBH: One of the minute but crucial organizational decisions was how to alphabetize words with spaces and punctuation. This issue had come up for me before when I worked for the admissions department at a university—do you put O’Connor at the beginning of the O surnames or between Oates and Oddy? We decided to ignore spacing and punctuation here, since compounds may be written closed, open, or with a hyphen (web-based, web page, website), and organizing them into those three groups would make it more difficult to find the term in question.

We also had to decide how to alphabetize capitalization (Google first, then google), how to alphabetize punctuation marks (we chose to organize them by how they appear in the QWERTY keyboard layout), and how to visualize pronunciation (we use the eye dialect method).

CMOS: What surprised you during the creation of the style guide?

BH: Acronym issues, for starters. I knew that security terms were disorganized chaos, but through cataloging each term, I realized just how much confusion acronyms can cause. Acronyms quickly become a murky alphabet soup, especially when they stand for several disparate things (e.g., AP, ICE, IP, MFA, PoC). I started tracking compounds that began with SS because of SSH ports, SSL/TLS, and social security numbers (SSNs). Our current version of the guide now includes a shocking eleven compounds that begin with SS, and the S stands for a different word in most of them.

Always remember… M.P.D.K.W.M.A.M

Through this process, I’ve become a strong advocate for spelling out or briefly defining acronyms on their first use, since, well, Most People Don’t Know What Most Acronyms Mean.

We were also surprised by how long reference works take. In the end though, the extra months increased the quality of the work and allowed us to add timely terms like Spectre, Meltdown, and Animoji in the winter of 2017. The forthcoming V1.1 will include 100+ new terms, including GDPR and deepfakes, which have both come up in mainstream news recently. No guide could ever truly represent the most up-to-date terms in a constantly shifting field like information security, but we hope our guide can start future users in the right direction.

CMOS: How has the public received the guide so far?

BH: It surprised us how quickly this guide spread through the security community—1,000 downloads over the first weekend, over 11,000 by now. The guide really seems to fill a need. I’ve learned that a lot of security researchers must edit their own work and the work of their peers, so the guide has directly improved their workflow, and they appreciate the assistance. I’m actively encouraging improvements from the security community, since the industry professionals who live and breathe this language are the ultimate authorities for what “looks right” and “sounds right.”

The second great surprise has been how many diverse users are excited for this guide. When we defined our core audience, it was pen testers and bug bounty researchers. Secondarily, it was for technical editors and tech journalists who might jump into this world to proof their work. It has been a joy to learn how many can benefit from a guide like this—cryptographers, sci-fi writers, and companies who need to determine their common vocabulary but who speak different Englishes. Some companies now use the Cybersecurity Style Guide as their baseline, even though they are not in our specific niche of security work. We are happy to be useful, and we are working to make the short entries for each term more accessible for users who don’t have the same foundational knowledge as our consultants.

Definition for penetration testing, pen testing (noun), a form of security testing in which evaluators mimic real-world attacks to identify ways to circumvent security features.

CMOS: (We’re guessing that bug bounty researchers are what they sound like. Thanks to the guide, we can pretend we knew what pen testers are.) What are your future plans for the guide?

BH: Ever since we released V1 of the guide in February, we’ve been receiving suggestions from the public and finding typos, so we’re eager to put out a revised V1.1 shortly on our website. We’re also working on a browser-based version of the guide. Many hackers are generally wary of PDF files, because they may contain malicious payloads, so a non-PDF version seems like a good idea to share with our core demographic.

I’m also planning to write blog posts about the quirks of security terminology. The series will be called “Dictionary Attack,” which is a type of attack that uses a digital dictionary to quickly try passwords made of common words against a login page. (Dictionary-based attacks are why short passwords like password and spring2018 are so weak.)

I am also excited to say here that I’ll be hosting a hacker-themed spelling bee at DEF CON this summer that will use the Cybersecurity Style Guide as the word list. The bee is called SpellCheck, and it will include capitalization in later rounds. One clever security professional will redeem themselves from elementary school defeat in front of their peers. It should be a good time.

A PDF of The Cybersecurity Style Guide is available for free download online. See also Brianne Hughes’s introductory blog post for the guide.

Outside her work at Bishop Fox, Brianne Hughes is associate executive secretary for the DSNA, an Odd Salon Fellow, and on the board of directors at Wordnik. Find her online at Twitter (@E_Briannica), encyclopediabriannica.com, and youtube.com/user/EBriannica.

Photo of Brianne Hughes courtesy of Steven Tan (@featherfallpix).

Please see our commenting policy.