Fear, Information Security, and a TED Talk
In watching this TEDMed talk by Thomas Goetz, I was struck by what a great lesson it holds for information security. You should watch at least the first 7 minutes or so. (The next 9 minutes are interesting, but less instructive for information security.)
The key lesson that I’d like you to take from this is that fear doesn’t get people to act. A belief in the efficacy of your action gets people to act. (Don’t miss at 5:45, when he says “oh, they’re trying to scare people.” He’s not talking about your marketing department.)
In information security, people, and especially management, don’t act because they don’t believe that more firewalls, SSL and IDS will protect their cloud services. They don’t believe that because we don’t talk about how well those things actually work. Do companies that have a firewall experience fewer breaches than those with a filtering router? Does Brand X firewall work better than Brand Y? Who knows? And absent knowing, why invest? There’s no evidence of efficacy. Without evidence, there’s no belief in efficacy. Without a belief in efficacy, there’s no investment.
We’re going to need to move away from fear and to evidence of efficacy. Doing so is going to require us all to talk about investments and outcomes. When we do, we’re going to start getting better rapidly.
The issue at heart here is that security rarely contributes to the bottom line and the cost is poorly understood. Furthermore, most companies have not historically intentionally captured the necessary data to create metrics for measuring the effectiveness of security expenditures. They often don’t even have good data around core business functions, let alone information security.
An interesting approach would be to identify data that is already being gathered and find out what can be gleaned from it. In many cases, existing systems might be gathering information that would be interesting and useful. CRM/ERP databases, financial reports, accounting data, time-tracking applications, etc. might all contain data that correlates to the effectiveness of security and other policies within a given organization.
I think the kind of research that Goetz is performing would be an ideal path for infosec consultancies or internal security teams within large companies seeking to conduct such studies. Given the right people, access, and creative ways of displaying the information, the value of different activities could become more closely bounded by supporting data. The question is which organizations have high-level management who are willing to support such endeavors…
I’m not sure I would take away the same message from the talk. Fear didn’t necessarily motivate someone, but it was a matter of whether that person was lazy or not, or maybe their level of inertia as defined by time spent and effort…i.e. cost. I’d say the same thing about his other two groups, smokers and obesity.
His second part seemed more useful. I took away that fear *can* work, but not something like blanket fear, but rather targeted fear based on personalized metrics, data, behaviors, risks.
I’d even say this same solution is part of many weight-loss psychology, i.e. don’t just tell someone to lose weight. Instead, measure closely and point out the gains and losses and what influenced them, maybe even correlating blood pressure, cholesterol, sleep patterns, etc.
Moving back to infosec, I still find it tough to think we can be quite so bold with our predictions like we can with health. We can point out that someone is not doing something “healthy” and we can measure it, but still the overbearing metric against that is this bug creature called, “COST.”
As a completely side note, as I’ve aged, I’ve realized “health” is a bad example for many things, because death (or the absence of health) is an ultimate end and fear and sparks many passionate responses and anxiety. A security breach…not so much…more like driving and being handed a ticket or other driving-related risks that people take constantly.
I want to also add that providing evidence of efficacy so that an entity becomes more secure gets back to the age-old metrics problem of: how do you accurately present it to non-technical people so that they are more motivated?