DEV Community

Cover image for What 'Like You're Five' Security Actually Looks Like (Hint: It's Not Condescending)
Narnaiezzsshaa Truong
Narnaiezzsshaa Truong

Posted on

What 'Like You're Five' Security Actually Looks Like (Hint: It's Not Condescending)

#cybersecurity #ai #showdev #tutorial

I Built an AI Tool to Generate Security Explanations. Here's What I Learned When It Produced Nonsense.

Introduction

My friend's 8-year-old asked me what a VPN was because her friend's dad told her they use one "to be safe online."

I had two options:

The accurate answer: "A VPN creates an encrypted tunnel between your device and a remote server, masking your IP address and preventing ISP-level traffic inspection..."

The condescending answer: "It's like a magic shield for your computer, sweetie!"

Both of these answers suck.

Option 1 is technically correct but utterly useless to someone who doesn't know what an IP address is. Option 2 is accessible but teaches her nothing—and honestly, it's a little insulting to her intelligence.

So I tried a third option. I built CyberLens, an AI-powered tool that generates security explanations at three levels:

  • Like You're Five (playful & simple)
  • Like You're New to Cyber (clear & beginner-safe)
  • Like You're Interviewing (clever & analogy-rich)

I created it during the AWS AI & ML Scholars program using PartyRock, with the goal of helping parents, educators, and career-switchers explain complex security concepts simply.

Here's what I learned: Sometimes it works brilliantly. Sometimes it produces absolute nonsense. And learning to tell the difference is more valuable than the tool itself.

This article is about what "explaining like you're five" actually means—and what happens when you try to automate it.

What CyberLens Actually Produces: Four Case Studies

Let me show you what the tool generates for common security concepts. I'm not going to show you idealized, cleaned-up versions. I'm going to show you actual outputs—the good, the bad, and the bewildering—because that's the only way to understand what AI tools can and can't do.

Case Study 1: Phishing

The Actual Kid-Friendly Output

"Let me explain phishing in a fun way!

Imagine you're dressed up as Spider-Man for Halloween, and you see someone else also dressed as Spider-Man. They look almost like the real Spider-Man, but something's not quite right - maybe their costume is a different shade of red or their web patterns are wrong.

This fake Spider-Man comes up to you and says, 'Hey! I'm the real Spider-Man! Can you tell me your secret clubhouse password?' Even though they look similar to Spider-Man, you know better than to share your secrets with someone just pretending to be a hero!

That's what phishing is - bad guys on the internet dress up their emails or websites to look like they're from people you trust (like your favorite websites or your parents' bank). They try to trick you into sharing secret information, like passwords or personal details.

Just like you wouldn't give your secret clubhouse password to a fake Spider-Man, you should never share private information when you get suspicious messages, even if they look real at first glance!

Remember:

  • Real heroes (and real companies) never ask for your secrets through unexpected messages
  • If something feels weird, always ask a grown-up for help
  • When in doubt, keep your secrets safe!"

What Works

Solid structural elements:

  • ✅ Concrete analogy (Halloween costumes)
  • ✅ Clear deception mechanism (fake vs. real)
  • ✅ Bridges to digital (emails, websites, passwords)
  • ✅ Actionable guidance (ask a grown-up)
  • ✅ Three-part "Remember" section

The core framework is sound: impersonation + visual similarity + trust exploitation = phishing.

What I'd Refine

The Spider-Man problem:

  • Brand-specific — Not every kid knows Spider-Man
  • Potentially dated — Pop culture references age poorly
  • Gender-coded — Skews male without intending to
  • Unnecessarily elaborate — "Different shade of red or web patterns wrong" is detail overload

Missing mechanism specifics:
The output mentions "emails or websites" but doesn't explain HOW phishing reaches you. Kids need to know it arrives in their inbox, might be a text, could be a fake login page.

My Refined Version

"Phishing is when someone pretends to be someone you trust to trick you into giving them your secrets. It's like if someone dressed up like your teacher and asked for your lunch money—they're not really your teacher, but they're pretending to be.

Online, phishers send emails that look like they're from your bank, your school, or Netflix. They're trying to get you to click a bad link or type in your password. The trick is they're really good at copying how the real company looks and talks.

Always check with a grown-up if something feels weird, even if it looks official. Real companies never ask for your secrets through surprise messages."

Why this works better:

  • Universal analogy (every kid has teachers)
  • Clearer digital mechanism (emails, links, passwords)
  • Tighter structure (3 sentences vs. 6 paragraphs)
  • No brand dependencies

The Key Insight

CyberLens gave me 80% of what I needed. The costume analogy demonstrates the right pattern—impersonation through visual similarity. I just needed to swap the brand-specific example for something universal and add technical specifics.

This is how to use the tool: Generate structure, apply editorial judgment, refine for your audience.

Case Study 2: VPN

The Actual Kid-Friendly Output

"Imagine you're sending a secret message to your best friend across the playground. But you don't want any other kids to see what you're writing!

A VPN is like putting on an invisible superhero costume before sending your message. When you wear this special costume:

  • Nobody can see who's really sending the message
  • Your message travels through a secret tunnel that only you and your friend know about
  • Even if someone finds the message, they can't read it because it's written in a special code

It's just like when Spider-Man puts on his mask - people don't know it's Peter Parker underneath!

Or think about having a special secret handshake with your friend. Only the two of you know the exact moves, so nobody else can copy it or understand what it means.

That's what a VPN does for your computer - it keeps your internet activities private and safe from people who shouldn't see them, just like a superhero costume keeps your real identity secret! 🦸‍♂️🦸‍♀️"

The Pattern Repeats

Spider-Man AGAIN. Both phishing and VPN reach for Marvel references. This tells me the underlying prompt has a pop culture bias.

Count the competing analogies:

  1. Invisible superhero costume
  2. Secret tunnel
  3. Spider-Man's mask
  4. Secret handshake
  5. Superhero costume (again)

Pick ONE. Kids can't build a mental model when you're throwing five different metaphors at them.

The Critical Inaccuracy

"Your message travels through a secret tunnel that only you and your friend know about"

This is misleading. The VPN provider can see EVERYTHING in that tunnel. It's not secret from them—it's only secret from your ISP, the coffee shop WiFi, and network snoopers.

This omission creates a false sense of security.

My Refined Version

"A VPN is like sending secret letters through a special mailbox that only you and your friend can open. When you're on public WiFi—like at a coffee shop—anyone nearby can see what websites you're visiting. A VPN wraps your internet traffic in a protective envelope so no one else can peek.

Important: The VPN mailbox can see your letters. Without a VPN, your internet provider sees everything. With a VPN, your VPN provider sees everything instead. You're choosing who to trust, not eliminating trust. That's why we use VPNs that promise not to keep records."

Why the trust model matters:

When a friend's kid asked "So VPNs can still see what I'm doing?", the CyberLens explanation would have failed because it claimed total secrecy. My version acknowledges the tradeoff honestly, which:

  • Teaches accurate mental models
  • Encourages critical thinking about trust
  • Doesn't create false confidence
  • Respects her intelligence

Case Study 3: 2FA (When CyberLens Produces Nonsense)

The Actual Kid-Friendly Output

"Imagine you have a super-secret clubhouse, and you want to make sure only your best friends can get in. That's what 2FA (Two-Factor Authentication) is like!

Here's how it works:
First, you need to know the secret password (like "bananas") - that's the first step.

But wait! Just like how superheroes don't just wear masks - they have special costumes too - you need TWO things to prove it's really you!

The second thing could be:

  • A special code sent to your parent's phone (like a secret message from headquarters!)
  • Your fingerprint (like a superhero's special power)
  • A special badge on your phone (like a superhero badge)

So if someone learns your password, they still can't get in because they need that second special thing too! It's like having both a secret handshake AND a special decoder ring - you need both to join the club!

That's why 2FA helps keep your online stuff safe, just like having two locks on your toy safe is better than just one! 🦸‍♂️🔐"

This Is Where It Fails Completely

Let's examine this sentence:

"Just like how superheroes don't just wear masks - they have special costumes too"

What is this trying to say?

  • Masks = first factor (password)?
  • Costumes = second factor?

Why doesn't this work?

  • Superheroes don't authenticate themselves with masks + costumes
  • These aren't separate security mechanisms
  • The analogy maps to nothing in the 2FA concept
  • It's pure nonsense dressed up as pedagogy

What It Should Have Been

"2FA is like needing TWO keys to open a treasure chest instead of just one. Even if a pirate steals your first key (your password), they still can't open the chest without your second key (a special code on your phone). Banks use this because passwords can be stolen, but stealing your password AND your phone is much, much harder."

Why this works:

  • Clear 1:1 mapping (two keys = two factors)
  • Explains WHY this matters (harder to steal both)
  • Concrete scenario (treasure chest, pirate)
  • No competing metaphors
  • No incoherent superhero logic

The Beginner Guide Is Actually Excellent

CyberLens's beginner explanation includes the "something you know + something you have + something you are" framework, which is exactly right. This is the industry-standard way to explain 2FA.

So what happened?

The tool has inconsistent quality. When it works, it produces excellent frameworks. When it fails, it produces word salad. There's no way to predict which you'll get.

This is why AI tools can't replace expertise—they require expert oversight to catch the failures.

Case Study 4: Ransomware (The Best and Worst Combined)

The Actual Kid-Friendly Output

"Let me explain ransomware using a fun example!

Imagine you have a special toy box with all your favorite toys inside. One day, a mean wizard (that's the bad guy) comes and puts a magical lock on your toy box. The wizard says, 'If you want to play with your toys again, you have to give me 100 pieces of candy first!'

That's kind of like ransomware. Bad guys on the internet put special locks (like secret spells) on people's computers and files. They won't unlock them unless people pay them money. Just like you wouldn't be able to play with your toys, people can't use their important files and pictures.

That's why it's super important to:

  1. Keep a backup of your toys (files) in another toy box (like having copies)
  2. Don't open strange magical packages (suspicious emails or files)
  3. Have a protective shield (antivirus software) guarding your toy box

Just like how superheroes protect their secret hideouts with special codes and security systems, we need to protect our computers from these mean wizards who try to lock up our stuff!"

What Works Better Here

The toy box analogy is actually coherent:

  • ✅ Clear scenario (toys locked in a box)
  • ✅ Ransom demand (candy = money)
  • ✅ Explains the crime clearly
  • Includes the key defense (backups!) — This is crucial

But then...

The ending randomly switches from wizards to superheroes. Pick ONE fantasy framework and stick with it.

The Beginner Guide Shines

For ransomware, CyberLens's beginner explanation is excellent:

  • Uses the Colonial Pipeline attack (real, recent, high-impact)
  • Explains concrete consequences (fuel shortages)
  • Lists clear protective measures
  • No weird analogies

This is what CyberLens does well: When explaining to people new to cyber, it produces solid, practical guidance.

The Interview-Level Is Also Better

The "high-tech kidnapping" metaphor with the unbreakable glass box is actually memorable and appropriate. It's still a bit long, but it's one of the better interview-level responses the tool generates.

The Pattern Across All Four Concepts

After analyzing phishing, VPN, 2FA, and ransomware, here's what I've learned about CyberLens's consistent strengths and gaps:

✅ CyberLens Strengths:

Beginner-level explanations are consistently good:

  • Practical, concrete examples
  • Real-world scenarios (Colonial Pipeline, Amazon phishing, coffee shop WiFi)
  • Industry-standard frameworks ("something you know/have/are")
  • Clear protective measures

It generates creative frameworks I wouldn't think of:

  • Costume/disguise angle for phishing
  • Toy box for ransomware
  • Multiple complexity levels help calibrate tone

⚠️ CyberLens Weaknesses:

Kid-friendly level has major issues:

  • ❌ Over-relies on pop culture (Spider-Man appears in 2 out of 4 concepts)
  • ❌ Uses too many competing analogies (5 metaphors in one explanation)
  • ❌ Sometimes produces incoherent logic (superhero costume nonsense)
  • ❌ Inconsistent quality (toy box works, costumes don't)

Missing critical nuances across all levels:

  • ❌ Trust models (VPN provider can see everything)
  • ❌ Ethical dimensions (privacy ≠ secrecy)
  • ❌ Tradeoff discussions (what you're gaining vs. losing)

Interview-level responses are too long:

  • ❌ 4-7 sentences when you need 3 soundbites
  • ❌ Extended metaphors instead of frameworks
  • ❌ Hard to memorize under pressure

Why I'm Showing You the Failures

You might have noticed something unusual about this article: I'm showing you CyberLens's actual outputs, not cleaned-up versions.

The Spider-Man explanation? That's what the tool produces right now.

The superhero costume nonsense? That's what you'll get if you try it yourself.

I could have hidden this. I could have shown you only my refined versions and implied the tool generated them perfectly. That would make CyberLens look better.

But it would be editorial dishonesty.

Here's why I'm being transparent:

1. You Deserve Realistic Expectations

If you try CyberLens expecting it to produce the "fake teacher" explanation, you'll be disappointed when it gives you Spider-Man. That disappointment erodes trust.

Better to show you what the tool actually does: it gives you structure and starting points, not finished copy.

2. The Refinement Process IS the Value

CyberLens isn't valuable because it produces perfect explanations. It's valuable because it:

  • Generates frameworks you wouldn't have thought of (costume analogy for phishing)
  • Gives you three complexity levels to compare (seeing all three helps you calibrate)
  • Forces you to articulate why something works or doesn't (critical thinking practice)
  • Speeds up the ideation phase (faster than starting from scratch)

The tool doesn't replace expertise—it scaffolds it.

3. This Models What I Want You to Do

When you use CyberLens (or any AI tool), you should:

  1. Generate the output
  2. Evaluate it critically (what works? what doesn't?)
  3. Refine based on your audience
  4. Test it on real people
  5. Iterate

If I only showed you polished outputs, I'd be teaching you to trust AI blindly. That's the opposite of cybersecurity thinking.

4. Constraints Breed Methodology

CyberLens was built using PartyRock during the AWS AI & ML Scholars program. I can't easily edit the prompts or retrain the model. The outputs are what they are.

This constraint forced me to develop a methodology: evaluate → critique → refine.

That methodology is more valuable than perfect outputs because it's transferable. You can apply it to any tool, any concept, any audience.

5. The Meta-Lesson

Cybersecurity is about critical evaluation of trust.

If I'm telling you to critically evaluate phishing emails, I should demonstrate critical evaluation of my own tool's outputs.

If I'm teaching you not to trust something just because it looks legitimate, I shouldn't present my tool's outputs as perfect just because they came from AI.

The standard I'm holding others to must apply to my own work.

That's editorial integrity.

Where Human Refinement Adds Value

Here's the systematic refinement process I've developed from using CyberLens:

Step 1: Identify What Framework It's Using

CyberLens generates an analogy or metaphor. Extract the core framework:

  • Phishing = costume/disguise impersonation
  • VPN = secret tunnel/protective envelope
  • 2FA = multiple locks/keys
  • Ransomware = kidnapping/hostage situation

Step 2: Evaluate the Analogy

Ask these questions:

  • Is it universal? (or brand-specific/culturally limited)
  • Does it map 1:1 to the concept? (or is the logic incoherent)
  • Is it memorable? (or too complex/too many competing metaphors)
  • Does it explain WHY? (or just WHAT)

Step 3: Check for Critical Omissions

Security concepts have layers CyberLens often misses:

  • Trust models — Who can see what? What are you trading?
  • Ethical dimensions — Is this about hiding bad things or protecting privacy?
  • Tradeoffs — What do you gain vs. lose?
  • Limitations — When does this NOT help?

Step 4: Refine for Your Specific Audience

Swap specific examples for universal ones:

  • ❌ Spider-Man → ✅ Teacher
  • ❌ Superhero costumes → ✅ Treasure chest keys
  • ❌ Mean wizard → ✅ Pirate (if you want playful) or just "attacker" (if you want neutral)

Add missing mechanisms:

  • Not just "phishing is fake emails" but "they arrive in your inbox, look like real companies, contain links to fake websites"

Step 5: Test and Iterate

  • If they nod: "Oh, that makes sense!" → You've got it
  • If they look confused → Refine again
  • If they ask good follow-up questions → You've sparked curiosity (mission accomplished)

What "Explaining Like You're Five" Actually Means

Through this process, I've learned what makes explanations work—and what makes them fail.

Bad "Like You're Five" Explanations:

Too abstract: "Encryption is like turning words into a secret code!" (How? This doesn't help.)

Overly cute: "Firewalls are like security guards who check everyone's ID!" (Anthropomorphizes technology incorrectly.)

Missing motivation: "HTTPS keeps your data safe!" (Safe from what? Why should I care?)

Incoherent logic: "Masks and costumes are like passwords and 2FA!" (These don't map to each other.)

Good "Like You're Five" Explanations:

Use concrete analogies the audience already understands:

  • Teachers (everyone has them)
  • Locked boxes (universal concept)
  • Letters in envelopes (physical mail)

Explain WHY you'd want this, not just WHAT it is:

  • "Anyone nearby can see what websites you're visiting" (concrete threat)
  • "Passwords can be stolen" (clear vulnerability)

Address the ethical dimension:

  • "It's not about hiding bad things—it's about keeping private stuff private"
  • Privacy ≠ secrecy ≠ deception

Use age-appropriate language without being patronizing:

  • "Protective envelope" not "magic shield"
  • "Secret letters" not "super-duper hidden messages"

Build foundations that support deeper questions:

  • When my friend's kid asked "But VPNs can still see what I'm doing?", my explanation didn't collapse—it had room for that nuance

Who Actually Needs "Like You're Five" Explanations?

Not just five-year-olds.

Parents: You need simple explanations to answer your kids' questions without needing a CS degree.

Educators: You need age-appropriate ways to teach digital literacy without terrifying or patronizing kids.

Security practitioners: You need Level 1 explanations for:

  • Executive summaries (CEOs want "here's the problem, here's the fix")
  • First conversations with non-technical stakeholders
  • Quick social media posts that get attention
  • Opening slides of technical presentations to get everyone on the same page

Career switchers: You need to prove you understand concepts deeply enough to explain them simply—that's a job interview skill.

Anyone working with AI tools: You need the critical thinking skills to evaluate whether outputs are accurate, useful, and appropriate.

How to Actually Use CyberLens (or Any AI Explanation Tool)

The Process:

  1. Go to CyberLens and enter a security concept
  2. Read all three levels (Like You're Five, New to Cyber, Interviewing)

  3. Evaluate critically:

    • What framework is it using?
    • What works about this analogy?
    • What's missing or unclear?
    • Is there incoherent logic?
    • Would this land with my actual audience?

  4. Refine based on your assessment:

    • Swap specific examples for universal ones
    • Add missing mechanisms, trust models, or ethical dimensions
    • Tighten language
    • Remove competing analogies

  5. Test with someone outside tech:

    • If they nod: "Oh, that makes sense!" → Success
    • If they look confused → Refine again
    • If they ask follow-up questions → Even better

  6. Iterate: The first version is never perfect.

What You're Actually Doing:

You're not using an answer generator. You're using a thinking partner that:

  • Speeds up ideation
  • Suggests frameworks you wouldn't have considered
  • Forces you to articulate why something works or doesn't
  • Provides structure you can refine with domain expertise

The tool provides the scaffolding. You provide the architecture.

The Bigger Lesson: AI Tools Require Expertise

CyberLens taught me something uncomfortable: Automating expertise is harder than it looks.

The tool works best at the beginner level because that's where you need practical, concrete guidance. The kid-friendly level is where expertise matters most—you need to:

  • Choose analogies that resonate across demographics
  • Explain complex ideas without creating misconceptions
  • Balance simplicity with accuracy
  • Include ethical and trust dimensions

These are judgment calls AI can't make reliably.

The interview level requires memorization strategy, speaking clarity, and understanding what interviewers actually want to hear.

These are performance skills AI can't optimize for.

What This Means for You:

When using ANY AI tool for explanations, content, or decision-making:

  1. Expect inconsistency. Some outputs will be excellent. Some will be nonsense. You need the expertise to tell the difference.

  2. Verify everything. Don't trust outputs just because they look polished. Check for:

    • Technical accuracy
    • Logical coherence
    • Missing critical information
    • Inappropriate assumptions

  3. Your refinement is the value. The tool's output is raw material. Your expertise transforms it into something useful.

  4. Document what doesn't work. When the tool fails, that's data. Learn from it. Refine your process.

  5. Be transparent about limitations. If you're sharing AI-generated content, be honest about what you changed and why.

If I Built CyberLens v2

Knowing what I know now, here's what I'd change:

Prompt Engineering:

  • ❌ Remove all pop culture references
  • ✅ Use only universal concepts (teachers, locks, letters)
  • ✅ Limit to ONE analogy per concept
  • ✅ Include explicit trust model discussions
  • ✅ Add "why this analogy works" meta-explanations

Interview Level:

  • ✅ Maximum 3 sentences
  • ✅ Include a memorable soundbite
  • ✅ Structure: definition → mechanism → defense
  • ✅ Optimize for recall, not impressiveness

Quality Control:

  • ✅ Add "coherence check" (does the logic actually map?)
  • ✅ Flag incoherent outputs for manual review
  • ✅ Include follow-up question suggestions

Educational Features:

  • ✅ Show all three levels side-by-side
  • ✅ Explain why each level includes what it does
  • ✅ Provide refinement suggestions
  • ✅ Include "test your understanding" questions

But I can't build v2 easily within PartyRock's constraints. And that's okay.

Because documenting what I learned from v1 is more valuable than building a perfect v2.

Conclusion: The Tool Might Flop. The Methodology Doesn't.

CyberLens hasn't achieved the adoption I hoped for. That's partly the tool's inconsistent quality, partly PartyRock's discoverability challenges, partly the market's saturation with AI explanation tools.

But that doesn't make this a failure.

What I've gained from building and using CyberLens:

A systematic methodology for evaluating and refining explanations

Evidence that expertise > automation in domains requiring judgment

Concrete examples of where AI tools succeed and fail

Credibility through transparency about what works and what doesn't

A case study I can teach from

The article about why CyberLens fails is more valuable than CyberLens itself.

And that's not a failure—that's good documentation.

The CyberLens philosophy:

Explaining like you're five isn't about dumbing things down.

It's about respecting your audience enough to give them a foundation they can actually build on.

And being honest about the work required to get there.

Final thought: If you take nothing else from this article, take this:

Critical thinking applies to everything—including your own tools, your own explanations, and your own assumptions.

The standard you hold others to must apply to your own work.

That's editorial integrity.

That's also what makes you trustworthy.

Part II: How to systematize quality at the architectural level

About the Author

Narnaiezzsshaa Truong is a CySA+ certified cybersecurity analyst, consultant, and founder of Cybersecurity Witwear. She's written six books on security education and created 97+ educational designs that translate complex frameworks (NIST SP 800-53, OWASP, MITRE ATT&CK) into visual "glyphwear."

Her Myth-Tech collection maps ancient catastrophes to modern security failures—because humans have been breaking trust systems for millennia, we just have better tools now.

Currently building CyberLens: an AI tool that generates security explanations at three complexity levels while maintaining systematic quality (95% consistency across diverse concepts).

Research focus: Making enterprise-grade security accessible to resource-constrained environments through tool chain integration, threat modeling, and identity management frameworks.

Connect: | LinkedIn | Cybersecurity Witwear

Top comments (0)