E. Talbot, D. Frincke, and M. Bishop, “Demythifying Cybersecurity,” IEEE Security and Privacy 8(3) pp. 56–59 (May 2010).
- Published version, paper paywalled at IEEE Explore: [DOI] [URL]
- Authors’ final version:
A large part of computer security education is tackling myths that support much of the practice in the field. By examining these myths and the underlying truths or heuristics they reflect, we learn three things. First, students and practitioners learn to separate what is empirically and theoretically supported from what is supported solely by untested anecdotes or handed-down “best practices.” Second, a key part of education is the human dimension of convincing others that stories that sound right aren’t proven and might in fact be wrong. They aren’t necessarily wrong-but this possibility must be considered. Finally, we can consider myths from the perspective of teaching stories, because many evolve from activities that at one time were true or that have some accurate elements.