Just say 'no' to FUD
NewSchool is about making rational security decisions and investments based on best available data, experiments, and even formal reasoning. It’s the opposite of “fear, uncertainty, and doubt” (FUD). FUD is the intentional amplification and exaggeration of fears and uncertainties for the sole purpose of manipulating the decision-maker into approving your proposal or budget — the “safe choice”.
Dr. Anton Chuvakin, in his guest blog post at FUDsec.com, argues in favor of FUD as a tactic:
…many people view using FUD for driving security spending and security technology deployments as the very opposite of sensible risk management. However, FUD is risk management at its best: FUD approach is simply risk management where risks are unknown and unproven but seem large at first glance, information is scarce, decisions uncertain and stakes are high. In other words, just like with any other risk management approach today!
…In light of this, we have to accept that there are benefits of FUD – as well as risks. … First, in the world we live in, FUD works! …Second, keep in mind that many of the Big Hairy Ass Risks (BHARs) are both genuinely scary and, in fact, likely…Finally, …fear might not be a very positive emotion to experience, but acting out of fear has led to things that are an overall positive…The key issue with FUD is its “blunt weapon” nature. It is a sledgehammer, not a sword! If you use FUD to “power through” issues, you might end up purchasing or deploying things that you need and things that you don’t.
…As “greed-based” ROI scams fail to move security ahead, the role of fear has nowhere to go but up. In other words, all of us get to pick out favorite 3 letter abbreviation – and I’d take honest FUD over insidious ROI any day…
…Even if objective metrics will ever replace FUD as the key driver for security, we have a bit of time to prepare now. After all, in that remote future age interstellar travel, human cloning, teleportation and artificial intelligence will make the life of a security practitioner that much more complicated… [emphasis in original]
Anton’s position on FUD reminds me of the quote by Gordon Gekko from the 1987 movie “Wall Street”: “…greed, for lack of a better word, is good. Greed is right, greed works. Greed clarifies, cuts through, and captures the essence of the evolutionary spirit.” Substitute “FUD” for “greed”, and this is basically Anton’s argument.
This Machiavellian justification of FUD sounds appealing until you consider this: FUD is unethical, plain and simple.
A Halloween analogy: It’s like putting an arachnophobic person in a dark room and then whispering: “This is such a dark room. There’s no telling how many spiders there are in here.” Then, just before locking them in the room, you say: “For all the money in your wallet, I can sell you some bug spray.”
The term “FUD” originated in the 1970s to describe some of IBM’s selling tactics against competitors (who had better price/performance, etc.). The FUD technique was used by IBM sales people to destabilize the decision-maker’s thinking process. FUD issues raised could not really be answered by the decision-maker or the competitor, and so nagged at the back of the mind. They had the effect of causing the decision-maker to retreat to the safe decision, which was IBM. “Nobody ever got fired for buying IBM”.
FUD has the same ethical status as using incriminating photos to coerce a favorable decision (one of J. Edgar Hoover’s favorite tactics). Both of them work if all you care about is getting approval, but it corrupts the process and works against rational decision-making overall.
There are substantial reasons for framing risks beyond simple statement of facts and statistics, namely to deal with the psychology of risk. Security is about avoiding bad outcomes. We have fear and uncertainty about those outcomes and we are prone to cognitive distortions about them. FUD amplifies distortions. FUD is anti-data and anti-analysis.
Instead, ethical security professionals should take pains to present feared scenarios in an understandable way and, most important, relative to the likelihood of other possibilities. We should also be on a never-ending quest for data and analysis that will inform decisions and reduce emotionalism. Don’t make the situation worse by pumping out FUD. It’s unethical.
Of course, Anton is not alone in advocating this view. He’s just more blatant and outspoken about it. For another recent example, see Richard Bejtlich’s Tao of Security blog entry, where he writes:
Let’s get to the bottom line. [Government] partnerships and procurement are not the answer to this problem. Risk assessments, return on security investment, and compliance are not the answer to this problem.
Leadership is the answer. [A leader must] stand up and say:
‘I am tired of the adversary having its way with my organization. What must we do to beat these guys?’
…I know organizations that have experienced this miracle. I have seen IT departments aligned under security because the threat to the organization was considered existential. Leaders, talk to your security departments directly. Listen to them. They are likely to already know what needs to be done, or are desperate for resources to determine the scope of the problem and workable solutions.
…Leaders who internalize this fight have a chance to win it. I was once told the most effective cyber defenders are those who take personal affront to having intruders inside their enterprise. [emphasis in original]
At the risk of over-simplification, here’s my interpretation of Richard’s admonition:
- Decision-maker’s should use their personal, visceral aversion to security violations as justification for security investments. Data and analysis doesn’t matter.
- Decision-makers should simply follow the recommendations of their security department, and fully fund all their requests. They know best.
- In some cases, the security department should have executive authority over all of IT, if your organization faces “existential threats”.
This is basically FUD in other clothing. None of these recommendations will lead to better security decision-making in the context of enterprise objectives and resource constraints. Security is always a secondary objective to some other (upside) enterprise objectives. Security investments are always subject to evaluation relative to other investment alternatives, both inside and outside of IT. These are the realities of enterprise performance and leadership. Some security people may stomp their feet in protest, or resort to unethical tactics like FUD, but don’t delude yourself that you are making the world (or the enterprise) a better place.