The Inner Circle

Expand all | Collapse all

Affirmative vs Negative Tone on Security Alerts

  • 1.  Affirmative vs Negative Tone on Security Alerts

    Posted Nov 05, 2020 08:21:00 AM
    I'd like to get people's thoughts and opinions on the messaging for security alerts and/or warnings, specifically if there's any industry standard or agreement that prefers the positive or negative tone.

    For example:

    • "Logging is not enabled." vs "Logging is disabled."
    • "Data at rest is not encrypted." vs "Data at rest is unencrypted."
    • "Account access is not restricted." vs "Account access is unrestricted."
    Appreciate any discussion on the matter!

    Michael Benavidez, CCSK
    Technical Writer


  • 2.  RE: Affirmative vs Negative Tone on Security Alerts

    Posted Nov 06, 2020 08:10:00 AM
    Per your examples, the alert is a logical negation of best practice assertions -- an event where compliance state changes from positive to negative. The issue here is framing:

    • "Not" unambiguously identifies failure to comply whereas
    • An antonym requires thought, and possibly, interpretation.

    From an operations point or view, it is much easier to scan a list of assessments for the word "not" than to read assessments for deviations from expectations. Consistent, systematic use of a common negative catch-all (e.g., "not") makes me more efficient.  I optimize compliance by eliminating "not".  For text that follows an antonym approach, I would hope to find a "warning" prefix.

    Alerts and warnings for unexpected activity (e.g., port traffic, out-of-bands changes, etc.) are another concern altogether. These are often not simple state-based assertions and therefore, "not" doesn't apply. Unexpected activity is not always illegitimate activity. Alerts must include data about the activity.

    Paul Deaver CISSP, CCSP