- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Cybersecurity Is About Obvious Risks
Imagine you are on a TV show similar to the American show Family Feud. In the usual setup, you are prompted: “We asked 100 cybersecurity professionals: What are the most common risks you deal with?” What would be your guesses for the top five most common answers? Malware? Password compromise? Whatever they are, the polled answers probably would not surprise you.
But cybersecurity is not always about the apparent risks. Cybersecurity is not always about the computers themselves. Other things impact the ultimate outcomes we care about.
Training is expensive and does not eliminate risk. Gartner, for instance, states that without phishing training, people click on phishing links 20% of the time, but yearly training yields rates still around 10%.24 How many clicks are we willing to accept compared with the cost of training? (Of course, that assumes that every click has the same risk.)
We can get different protection levels at defined costs. Imagine an organization has invested in technology and processes to achieve 20-day patching as defined by its policy. If the business meets the goal and a vulnerability is exploited on day 21, that is a failure to achieve the promised security goal. If exploitation occurs on day 19, this is the result of a business decision.
People often forget to consider a broader view than technology-specific security software and appliances. This happens for everyone from engineers to executives. Does the organization have a media disposal policy? When a computer dies, is the storage sanitized? Another issue is fatigue. Tired and frustrated users are prone to more accidents and mistakes. How does the security policy deal with that?
The “obvious” risks in cybersecurity are undoubtedly scary. In December 2021, for example, a severe new vulnerability was discovered in a snippet of code that was used by millions of websites and applications to record logs, known as log4j.25 When someone clicks a link and gets a Page Not Found error, for example, this vulnerable software enables the web server to record the error in a log file for system administrators. Attackers immediately began trying to find and attack the websites and apps that used log4j. Many news articles were written about how scary it was; social media went wild about it. It was (and is) a genuinely worrisome event because of how easily an attacker could gain access through something as simple as a logging mechanism. Developers love logging mechanisms, because they help them debug and add auditing. Attackers now love them, too, because they’re easy to exploit.
We should worry about any program that uses this code (log4j) and update it (or disable it) as soon as possible. Waiting for someone to take advantage of the vulnerability is definitely a grave mistake.
Many attacks do not originate outside the organization. We will spend a lot of time and effort cleaning up the log4j situation, but insiders do not need a Remote Code Execution (RCE) program: They are not remote; they are local. Depending on their position, they can do as much (or more) damage as the outsider. It might be inadvertent or deliberate, but an insider might easily take down the infrastructure or exfiltrate data and sell it. The external threat is the same as the “stranger danger” that kids are taught when they are young. Avoid the stranger and their malicious traffic to be safe.26
Jordan is a professional cybersecurity expert in a bustling Maryland suburb and an active volunteer in the community. At the invitation of the local Chamber of Commerce, Jordan developed a presentation for business owners titled “Ten Ways to Protect Yourself Online.” Jordan’s presentation started in a manner that was familiar to many people: a slide that showed a pixelated green image of someone in a hoodie hunched over a computer. Before even saying a word, the presentation took the tone to be afraid. Be afraid of the mysterious hooded figure!27
A great many cybersecurity presentations begin by talking about cyber threats. How better, they think, than to educate (scare?) the audience into adopting better cybersecurity? “You better pick a better password, or attackers will steal all your money!” Fearmongering is a form of psychological manipulation playing on the (often-unsupported) threat of impending danger and doom. Advertisers have used this tactic to stimulate anxiety. Remember the “this is your brain on drugs” anti-narcotics television campaign showing an egg sizzling in a frying pan? For many people it was emotional and powerful. It was intentionally manipulative.
Cybersecurity often feels as though it is shaded by the negative. In academia and journalism, one is sometimes considered more serious if considered critical or negative. Positivity is associated with naiveté. It certainly sells better in some markets. We rarely hear about what is going well in cybersecurity!
Highlighting threats is done so often there’s even an acronym to describe it: Fear, Uncertainty, and Doubt (FUD). There is an awful lot of FUD in cybersecurity because there is an awful lot of uncertainty. People use that to scare the audience into compliance or to convince them that the latest and greatest product will stop the FUD.
Does highlighting threats work, and even if it does, is it the right approach? “So in the last few years, we have been moving away from a fear-based approach to cybersecurity towards a pragmatic one where we are trying to enable people to get on top of the problem,” says Ciaran Martin, the first CEO of the United Kingdom’s National Cyber Security Centre.28 Cybersecurity awareness is closely tied to empowerment and positive culture. If a workforce lives in constant fear of cyber threats or punishment for the wrong action, they will be unhappy, unproductive, and potentially paralyzed by fear. Blame-and-shame and other embarrassment tactics are unfortunately still used today. For example, the U.S. Department of Health and Human Services has a “wall of shame” for data breaches in healthcare.29
Yes, the world can be scary, but that does not have to be the primary approach to cybersecurity. We advise against dismissing warnings and stories as “simply FUD”—those warnings suggest there are things to think about. Instead of fear, consider focusing on messages and campaigns that encourage strength and stability, promote innovation and creativity, and empower people. People want to protect themselves and defend organizations they care about. It’s a natural human instinct. There is no need to spend all our time talking about the threats.