It’s not a virus

(If you don’t read that title in your head the same way Arnold Schwarzenegger said “it’s not a tumor” in Kindergarten Cop, I’d argue you need to rethink your life choices. 😉)

I have a non-functional hot tub that needs repair, which is a problem as my wife and I are preparing to sell our house. (Bear with me for a minute, I’m going somewhere with this.)

When is a hot tub not a hot tub?

On Monday, I called a place that services and repairs hot tubs. I started to explain the issue and what we needed, but as soon as I said the words “hot tub,” the guy I was talking to interrupted. “You don’t have a hot tub,” he told me, “there’s no such thing. You have a spa.” I kid you not.

I’m sure you can imagine my reaction. I paused, trying to process what had just happened, and uttered a short “what the hell is going on here” laugh. In all honesty, there was a part of my brain that wanted to just hang up the phone right then and there.

Unfortunately, we really need the darn thing repaired, and I’d promised my wife I’d get it done, so I soldiered on, calling it a “spa.” Yet that word felt alien in my mouth, like I was talking about a place where someone might put hot rocks on me or dunk me into a tub full of mud – both exactly as appealing to me as I make them sound. Everyone I’ve ever encountered calls this thing a “hot tub.” Books, TV shows, movies, etc. It’s “Hot Tub Time Machine,” not “Spa Time Machine.”

The “hot tub” of the security world

After this encounter, it got me thinking. There’s a huge parallel between this conversation and conversations I’ve seen on security topics. I’ve seen – and, I imagine, have probably said – nearly the same pedantic phrase in another form. “You don’t have a virus, those are rare today. You have malware.”

In the security community, education of the user is of great importance. Thus, we often think that we need to correct terminology like this, to ensure the user understands. Malware is the more “correct” term these days, as the term “virus,” from a technical perspective, implies particular behaviors that most malware no longer exhibits.

However, think about my reaction when someone interrupted me to tell me I don’t have a hot tub. I felt disrespected, talked down to. If I’d been female, I’d have been justified in accusing him of mansplaining hot tubs – sorry, “spas!” – to me. (If a man mansplains to another man, is it still mansplaining?)

Now think about the results. I stuck with the conversation, but I really didn’t want to. That single comment very nearly caused that company to lose my business. The negative feelings could still affect the business relationship, if future interactions are even slightly off. I’m primed to dislike this guy, and the company he represents, if anything doesn’t go exactly right.

The same is likely to be true if you correct someone who tells you they have a “virus.” It may not be entirely logical, but human interactions seldom are.

Don’t be pedantic

The vocabulary used by security or IT professionals is very different from the vocabulary of non-technical people. To the layperson, “virus” is the term used by books, TV shows, and movies to refer to malware. This is the lens through which they see the concept.

No matter what role you have in security, it’s critical that you understand and accept this perspective. Sure, you may not like it, but that’s the way it is. If you are having a discussion with someone who thinks they’re infected with “a virus,” you’ve lost them immediately if you argue about their chosen terminology. You’ve suddenly become an adversary, rather than an ally. You may be able to come back from it, but it’ll take a lot more work.

Instead, focus on the user’s problem. Non-technical people these days are primed to call anything and everything that happens to their computer a “virus.” Help them discover the cause and fix it, regardless of what it is. Chances are, it’s not even malware at all.

Once you’ve fixed the problem, that’s your opportunity to explain the nuances to the user. At that point, they’ll be far more likely to be interested in hearing that the “virus” was actually an adware trojan, how it infected them in the first place, what threat it posed, and how to prevent it in the future.


Long story short, when you – as a technical person – have the task of assisting a non-technical person with a technical issue, it’s your job to adapt to the language that person understands, not vice versa. Failure to do that will lead to… well, failure.