diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 3015528114d..f1195a43736 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -18,7 +18,7 @@ abstract class InsecureCryptoSpec extends Locatable {
 }
 
 Function getAnInsecureFunction() {
-  result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
+  isInsecureEncryption(result.getName()) and
   exists(result.getACallToThisFunction())
 }
 
@@ -36,7 +36,7 @@ class InsecureFunctionCall extends InsecureCryptoSpec, FunctionCall {
 }
 
 Macro getAnInsecureMacro() {
-  result.getName().regexpMatch(getInsecureAlgorithmRegex()) and
+  isInsecureEncryption(result.getName()) and
   exists(result.getAnInvocation())
 }
 
diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
index 24c69f93758..22ca62372fe 100644
--- a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
+++ b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -14,6 +14,13 @@ string getAnInsecureAlgorithmName() {
     ]
 }
 
+/**
+ * Gets the name of an algorithm that is known to be secure.
+ */
+string getASecureAlgorithmName() {
+  result = ["RSA", "SHA256", "CCM", "GCM", "AES", "Blowfish", "ECIES"]
+}
+
 /**
  * Gets the name of a hash algorithm that is insecure if it is being used for
  * encryption (but it is hard to know when that is happening).
@@ -39,10 +46,11 @@ string getInsecureAlgorithmRegex() {
 }
 
 /**
- * Gets the name of an algorithm that is known to be secure.
+ * Holds if `name` looks like it might be related to operations with an
+ * insecure encyption algorithm.
  */
-string getASecureAlgorithmName() {
-  result = ["RSA", "SHA256", "CCM", "GCM", "AES", "Blowfish", "ECIES"]
+bindingset[name] predicate isInsecureEncryption(string name) {
+  name.regexpMatch(getInsecureAlgorithmRegex())
 }
 
 /**