Shostack + Friends Blog Archive


Requests for a proof of non-existence

So before I respond to some of the questions that my “A day of reckoning” post raises, let me say a few things. First, proving that a breach has no impact on brand is impossible, in the same way that proving the non-existence of god or black swans is impossible. It will always be possible for a new breach to impact a brand.

Second, and far more importantly, I’m not the one making the surprising claim, or bringing it to the marketing department. If you are making a surprising claim, the responsibility to back it up lies on you. Ideally, someone’s going to produce a convincing and predictive theory of brand costs that works across a defined subset of the thousands of breaches in the DataLossDB or DBIR. Until they do, there are still lots and lots of breaches that have minimal effect on stock price and very little on overall brand.

Finally, the marketing department owns branding, in the same way that IT owns operational roll-outs. You need to convince them in the same way you need to convince IT to roll out a new IDS or development to implement an SDL. Information security people don’t own questions about brand any more than legal does. If you want to influence the folks who write for “the CMO site,” you’re going to have to bring data. In other words, your argument is going to have to resonate with the business leaders who think that a guy picking his nose and posting the video to YouTube is far more likely to hurt their brand.

I’ll have more on the Ponemon report & other reports cited by George Hulme here shortly.

One comment on "Requests for a proof of non-existence"

  • Agree. What strikes me as strange is that, in the looking glass world of InfoSec, what counts as a surprising claim is usually the opposite of what I think. Putting out a report saying that data breaches cause, e.g., $737.345 billion worth of brand damage a year will be seen as normal and unsurprising. Questioning this, or suggesting that the method is dodgy, triggers rebuttals and scrutiny that the original never received. Nothing wrong with the scrutiny, but this is confirmation bias writ large.

    The video from the CMO site is a reminder that outside of the Infosec bubble not everyone considers “things are bad and constantly getting worse” as an unsurprising statement to be accepted without evidence.

Comments are closed.