Why FUD fails and BAD prevails in Digital Security
Many cyber security specialists or security software sales representatives want to convince people to act or buy certain products by frightening them with statements like: “If you don’t do (or buy) this, you will be hacked.” Sadly, this way of communicating is still an often-used approach in Information Security to get the message across or motivate people to “buy” their products or service. We call this the FUD approach. FUD stands for Fear, Uncertainty, and Doubt and was introduced in the late eighties. As of 1991, the expression became fashionable for any form of disinformation used against the competition. FUD is a simple but effective strategy that supplies the audience with negative, fake, or false information to influence their behavior and decisions. FUD is so effective because adverse events have a more significant impact on our brain and associated attitudes than positive ones. In psychology, this is called negative bias. Negative bias can have an effect on behavior as well as your decisions. This is also why the news often spreads negative news because negative news draws greater attention and therefore sells.
Although this might be effective in the short term to get things done, this won’t be a very successful approach in the long term. In this blog I'd like to explain you why.
FUD can force people to make decisions to do security-related actions or buy security products and services. However, making decisions based on FUD will not be the smartest or wisest to do. The strategic objective of any risk management program should be to provide the highest desirable security, excellent end-user experience at the lowest cost. Just buying security products or services out of Fear will most probably not be the most cost-effective. For example, you, as a CISO, just drafted a new strategic plan to invest in building up skills and capabilities because your last redteaming exercise proved the current firewall had default passwords and rules in them. So, for the long term, you want to invest in training for the engineers. At the same time, your IT Security manager buys a new firewall because they are afraid that the end of support might endanger the firewalls working. But if you don’t have the in-house skills to implement and maintain it, this does not make any sense. Software engineer Grady Booch famously said, “A fool with a tool is still a fool.”
Thus, executing specific security improvements because of FUD might have a short-term gain but might interfere with your long-term strategy.
Companies value will increase instead of decrease after ransomware
Paul Bischoff from Comparitech analyzed historical share price data from some companies listed at the New York Stock Exchange that were hit by ransomware. They noted that share prices plummet 22% on average immediately after a ransomware attack. However, the initial dip is short-lived, and prices mostly recover within a day, and stocks are back to outperforming the market within ten business days on average. Share prices rose 4.4% on average six months after a ransomware attack, exceeding the rest of the market with 11.2%. The research also noted that Ryuk ransomware had the most significant negative impact on the share price. Share prices of companies hit by Ryuk suffered far more than those hit by Maze. Share prices fell nearly 44% initially, and although they recovered, at the end of six months, the average share price was about 41.8% lower.
People will get FUD fatigue
When FUD is used over and over again to get things done, management will get FUD fatigue. Like negative news repeating itself about a particular event makes people passive and non-responsive to that item and will no longer be triggered by it. Management will take every new fear a little less seriously. For example, 20 years ago, security services were often sold with fear that a company would be hacked, and the company would be on the front page of The New York Times or The Wall Street Journal. Nowadays, hacks and ransomware are a fact of life of which the boardroom is fully aware. However, in the firm’s factory, middle management often has a lack of knowledge about what needs to be done and how they should deal with things.
Also, when FUD is constantly used, and nothing happens, the digital security version of the boy who cried wolf comes into play. Meaning that if you ask for help when it is not needed, the effect is that one is not believed when one does need help.
Too much FUD will suffocate innovation
When an organization thinks that it is under the constant stress of a threat, it will focus on its core and therefore limits innovation. This effect is called Threat Rigidity (Barry M. Staw, 1981). Mitigating the risk of the threat and potential new threats will assist an organization in moving out of this state of mind and back into an innovative shape. FUD can suffocate innovation or stop people from creating new ideas. A significant role of the Digital Security Leader is to mitigate cyber security risks so organizations feel safe enough to move into an innovative organization.
Stop FUD, and let’s be BAD
FUD might be a suitable approach to get people’s attention. Audiences are often intrigued by stories about hacks and cyber breaches, which can be used as a “teachable moment.” However, after getting the attention, the focus should go onto the actions that need to be taken. We propose to try being BAD (Brave, Assuredness, and Daring) instead of doing a lot with FUD. Let me explain:
Any leader in security should be willing enough to step up and put themselves out there. A Digital Security Leader should be Brave, meaning to have or show mental or moral strength to face danger, fear, or complex discussions. It is about having or showing courage. To win this cyberwar, we need more diligent, razor-sharp minds, determined mindsets, and craftsmen to observe, address and deal with an issue or incident. These people are brave, deliver tangible results, and often don’t have the time to celebrate them. They are servant leaders that are busy enabling the business by removing security measures where they can be removed to achieve innovation. They form coalitions inside and outside the company, sometimes with the enemy. These are the people that usually don’t just stand, tell fake stories and watch during a crisis, but they act without going for fame.
Faced with what is right, to leave it undone shows a lack of courage.
The definition of Assuredness is: great coolness and composure under strain. It means that instead of Uncertainty, Digital Security Leaders should give Assuredness. They should be able to provide Management assuredness by building a relationship, communicating about developments and actions, and giving them trust by showing results. This way, Management, and the Business can focus on their core processes and innovation instead of being scared.
An example of how assuredness can be achieved is monetizing the value of good security via economic models such as Return on Security Investment (ROSI) and Balanced Score Cards. By making the potential costs transparent and using them in the ROSI calculation, you make it tangible for the company what you try to protect with your investment. This makes it “easier to sell” it to the board to get the investment approved (read more in this blog). This successful approach is also taught in our executive master in IT Risk & Cyber security Management
To do just this, the Digital Security Leaders might need to develop real-time dashboards to have real-time facts that show what goes wrong and report what has been improved and is going well. This fact-based reporting becomes vital in case of an incident. Not only tell what went wrong, but also what measures worked very well, which prevented the security incident from becoming a major disaster.
In business and life, you need to have the quality of being brave and willing to take risks to make any progress. Without daring to take risks, you will most probably make organizations less effective, suffocate innovation, and security will not have the most optimum total cost of ownership.
Next, the Digital Security department should not be the Department of Profit Prevention but should enable securely doing business. It is more and more a company ticket to win. In some cases, certain calculated risks must be taken to have a competitive advantage in the market. And FUD sellers only stand in the way.
Originally published on 12ways.net in co-authorship with Mark Butterhoff.