We all like to believe our data is safe. We lock it in vaults, protect it with keys, and keep our money in wallets. We even browse the web incognito, as if cloaked from view. The language of digital life borrows heavily from the physical world — and that’s precisely the problem.
In our new paper, “Naming Security: How Offline Metaphors in Digital Systems Shape Risk Perception - and Create Space for Online Fraud,” we explore how this familiar vocabulary of safety shapes behaviour online. Our central argument is simple: by using comforting metaphors from the offline world, we make digital systems feel more secure than they really are. Those misplaced feelings of safety create the psychological space that online criminals exploit.
Take so-called “Private” or “Incognito” browsing. Our research highlights studies showing that many users believe these modes hide them completely - when in fact they only stop a device from storing local history. The illusion of invisibility is linguistic as much as technical.
The same pattern runs through the wider digital economy. Terms like vault, wallet, and token suggest solid, tangible ownership; but what they really describe are fragile credentials, easily copied or stolen. A “wallet” doesn’t hold your money, a “key” doesn’t prove who you are, and a “vault” can be opened by anyone who acquires the right code. The metaphors are doing more security work in our minds than the systems are doing in practice.
The consequences are visible in the data. Last year, the FBI’s Internet Crime Complaint Center logged more than $16 billion in reported losses. In England and Wales, the Crime Survey counted 4.1 million incidents of fraud - a one-third increase on the previous year. Behind those numbers lies a culture of misplaced trust: users taking reassurance from “secure” labels, padlock icons, and processes that look serious but are often little more than performative friction.
Our paper calls for a rethink. We argue for truth-leaning metaphors - language that clarifies limits rather than obscures them. “Local-only browsing” tells the truth about what private mode does. A “Vault - folder with extra approval steps” makes the protection explicit. We also recommend clearer just-in-time warnings, more disciplined use of security icons, and a shift from theatrical reassurance to verifiable security.
Words alone can’t stop fraud, but they shape the choices that make it possible. If language can inflate a sense of safety, it can also restore realism. The first step towards a safer digital world may be to talk about it more honestly.
Read the full report:
Naming Security: How Offline Metaphors in Digital Systems Shape Risk Perception
[Insert download link or call-to-action]
Source Material & Footnotes
[1] Verizon. (2024). 2024 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/
[2] IBM Security. (2024). Cost of a Data Breach Report 2024. https://www.ibm.com/reports/data-breach
[3] Gartner, Inc. (2021). API Security: What You Need to Do to Protect Your APIs. https://www.gartner.com/en/information-technology/glossary/api-security
[4] CyberArk. (2024). The 2024 CyberArk Identity Security Threat Landscape Report. https://www.cyberark.com/resources/threat-research-blog/2024-identity-security-threat-landscape-report
