“Fear, uncertainty, and doubt” (FUD) is a distortion tactic to manipulate decision-makers. You may think it’s good because it can be successful in getting the outcomes you desire. But it’s unethical. FUD is also anti-data and anti-analysis. Don’t do it. It’s the opposite of what we need.
NewSchool is about making rational security decisions and investments based on best available data, experiments, and even formal reasoning. It’s the opposite of “fear, uncertainty, and doubt” (FUD). FUD is the intentional amplification and exaggeration of fears and uncertainties for the sole purpose of manipulating the decision-maker into approving your proposal or budget — the “safe choice”.
Dr. Anton Chuvakin, in his guest blog post at FUDsec.com, argues in favor of FUD as a tactic:
…many people view using FUD for driving security spending and security technology deployments as the very opposite of sensible risk management. However, FUD is risk management at its best: FUD approach is simply risk management where risks are unknown and unproven but seem large at first glance, information is scarce, decisions uncertain and stakes are high. In other words, just like with any other risk management approach today!
…In light of this, we have to accept that there are benefits of FUD – as well as risks. … First, in the world we live in, FUD works! …Second, keep in mind that many of the Big Hairy Ass Risks (BHARs) are both genuinely scary and, in fact, likely…Finally, …fear might not be a very positive emotion to experience, but acting out of fear has led to things that are an overall positive…The key issue with FUD is its “blunt weapon” nature. It is a sledgehammer, not a sword! If you use FUD to “power through” issues, you might end up purchasing or deploying things that you need and things that you don’t.
…As “greed-based” ROI scams fail to move security ahead, the role of fear has nowhere to go but up. In other words, all of us get to pick out favorite 3 letter abbreviation – and I’d take honest FUD over insidious ROI any day…
…Even if objective metrics will ever replace FUD as the key driver for security, we have a bit of time to prepare now. After all, in that remote future age interstellar travel, human cloning, teleportation and artificial intelligence will make the life of a security practitioner that much more complicated… [emphasis in original]
Anton’s position on FUD reminds me of the quote by Gordon Gekko from the 1987 movie “Wall Street”: “…greed, for lack of a better word, is good. Greed is right, greed works. Greed clarifies, cuts through, and captures the essence of the evolutionary spirit.” Substitute “FUD” for “greed”, and this is basically Anton’s argument.
This Machiavellian justification of FUD sounds appealing until you consider this: FUD is unethical, plain and simple.
A Halloween analogy: It’s like putting an arachnophobic person in a dark room and then whispering: “This is such a dark room. There’s no telling how many spiders there are in here.” Then, just before locking them in the room, you say: “For all the money in your wallet, I can sell you some bug spray.”
The term “FUD” originated in the 1970s to describe some of IBM’s selling tactics against competitors (who had better price/performance, etc.). The FUD technique was used by IBM sales people to destabilize the decision-maker’s thinking process. FUD issues raised could not really be answered by the decision-maker or the competitor, and so nagged at the back of the mind. They had the effect of causing the decision-maker to retreat to the safe decision, which was IBM. “Nobody ever got fired for buying IBM”.
FUD has the same ethical status as using incriminating photos to coerce a favorable decision (one of J. Edgar Hoover’s favorite tactics). Both of them work if all you care about is getting approval, but it corrupts the process and works against rational decision-making overall.
There are substantial reasons for framing risks beyond simple statement of facts and statistics, namely to deal with the psychology of risk. Security is about avoiding bad outcomes. We have fear and uncertainty about those outcomes and we are prone to cognitive distortions about them. FUD amplifies distortions. FUD is anti-data and anti-analysis.
Instead, ethical security professionals should take pains to present feared scenarios in an understandable way and, most important, relative to the likelihood of other possibilities. We should also be on a never-ending quest for data and analysis that will inform decisions and reduce emotionalism. Don’t make the situation worse by pumping out FUD. It’s unethical.
Continue reading “Just say 'no' to FUD”