Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Q&A: Security Through Storytelling

Bruce Hallas explains why storytelling is key to Board buy-in
Bruce Hallas explains why storytelling is key to Board buy-in

What is The Analogies Project?

A series of initiatives to support the information security community to engage more effectively with employees and the Board. It is a not-for-profit venture.

The first initiative is an online library of analogies, metaphors and stories that can be accessed and used free of charge.

The content is based on fact and fiction and explores infosec within contexts that people from outside of the industry find more familiar, relevant and engaging. To date, contributions explore information security in over 40 different contexts. These range from farming to record collections, and fatherhood to the ancient library of Alexandria.

The content is submitted by worldwide contributors from both within and outside of the industry. Currently contributions are in English, French and Spanish. The first Portuguese, Dutch and Malay contributions will go live before April.

Where did the idea come from?

Engaging with the Board and employee awareness are consistent re-occurring challenges in the industry. Yet progress in this area has been limited and slow. An alternative and creative approach was needed to supplement existing efforts.

I've used analogies and metaphors to engage with people throughout my career. Knowing how well analogies have worked for me, I could see the benefit of creating a platform to share these. I ran the idea past several members of the Corporate Executive Programme, of which I am a member. In July 2013, we launched the project.

What is its main objective?

Raising awareness to influence cultural behavior is essential to secure information assets and manage risk to economic and social prosperity.

Who can benefit from The Analogies Project?

Anyone looking to engage with stakeholders; whether they are employees, the Board or members of society.

Who (and how) can people get involved?

Anyone with a useful analogy or metaphor that tells the information security story can contribute. In return we will create a contributor profile for you.

You can show your support by following us on Twitter, @TheAnalogies, and contact us through the website theanalogiesproject.org, or drop us an email.

Why did you choose to launch this project?

I’ve worked in information security as consultant, team manager and practice manager for 15 years.

My academic and early career in law, marketing and finance has greatly influenced how I see information security and engaged with stakeholders to raise awareness, drive investment and influence cultural change across business.

I chose to launch the project because without an increase in the effectiveness of communication between the infosec community and the stakeholders it seeks to protect, the change in cultural attitudes and behavior is not likely to materialize.

What is the most common misunderstanding about the information security industry?

Other than, 'it’s an IT issue', I’d say the belief the infosec message isn’t getting through. It is! But if you want to reach out and influence more people, then you’re going to have to change the message and delivery.

If you could teach the world just one thing about infosec, what would it be?

If it is made by man then it can be broken by man. Or, infosec isn’t new. It goes back to the moment humans started communicating. Therefore, our past is littered with examples of the impact of good and poor infosec, how advances in society and technology introduced changes in risk exposure and, importantly, the means by which we found a suitable balance.

What is your favorite infosec analogy?

The Silk Road. I use it widely in workshops and presentations. It always works.


Bruce Hallas is the founder of The Analogies Project where he's the chief infosec curator. He's also the owner and principle consultant at Marmalade Box, an information security practice.

What’s Hot on Infosecurity Magazine?