Per your examples, the alert is a logical negation of best practice assertions -- an event where compliance state changes from positive to negative. The issue here is framing:
- "Not" unambiguously identifies failure to comply whereas
- An antonym requires thought, and possibly, interpretation.
From an operations point or view, it is much easier to scan a list of assessments for the word "not" than to read assessments for deviations from expectations. Consistent, systematic use of a common negative catch-all (e.g., "not") makes me more efficient. I optimize compliance by eliminating "not". For text that follows an antonym approach, I would hope to find a "warning" prefix.
Alerts and warnings for unexpected activity (e.g., port traffic, out-of-bands changes, etc.) are another concern altogether. These are often not simple state-based assertions and therefore, "not" doesn't apply. Unexpected activity is not always illegitimate activity. Alerts must include data about the activity.
------------------------------
Paul Deaver CISSP, CCSP
------------------------------
Original Message:
Sent: Nov 05, 2020 08:21:11 AM
From: Michael Benavidez
Subject: Affirmative vs Negative Tone on Security Alerts
I'd like to get people's thoughts and opinions on the messaging for security alerts and/or warnings, specifically if there's any industry standard or agreement that prefers the positive or negative tone.
For example:
- "Logging is not enabled." vs "Logging is disabled."
- "Data at rest is not encrypted." vs "Data at rest is unencrypted."
- "Account access is not restricted." vs "Account access is unrestricted."
Appreciate any discussion on the matter!
------------------------------
Michael Benavidez, CCSK
Technical Writer
------------------------------