Understanding the Fear Factor
As a general rule of thumb, fear plays a large part in the security decision-making process for most people. You may be surprised to find a section dedicated to fear in an information security book, but in reality, fear and information security go hand-in-hand. Throughout its existence, security has been primarily driven by fear: fear of unknown people lurking in the dark corners of the Internet; fear of the thousands of malicious applications that can devastate an unprepared company; fear that the computers and networks we have grown to completely rely on can be influenced by invisible forces unknown to us; fear that this could be happening anytime, anywhere, through any series of circumstances, and that we could be completely unaware of it. Open any magazine article or vendor advertisement on security and it will almost certainly begin with some fearful tale of what could happen to an organization. It is in reaction to fear that most security decisions are made today. This has had both positive and negative effects on our industry.
Positive Effects of the Fear Factor
Of course, there are some positive things we gain from this fear factor. Many organizations and their various directors would never give security a second thought if not for the fear of losing everything through a security breach. Tell the average top executive that he or she needs a firewall, and he/she will give it the same priority as ordering a new desktop computer for the sales group. But, show him/her the other organizations that have lost millions from basic security breaches and you may even be granted overnight shipping. Fear has managed to spread security through many locations that otherwise would never have created the budget or taken the effort to secure themselves. In this way, the fear factor has certainly had positive effects.
Negative Effects of Security Fears
Unfortunately, the negative effects of fear have had an even more profound effect on the course of information security within the average organization. Human fear is an emotional process that does not normally inspire the most accurate or wisest of decisions. The greatest thinkers in the world can still make bad decisions when succumbing to fear, be it on the road, in the battlefield, or in cyberspace. When we humans fear something, the automatic reaction is to push the issue away, have someone or something else take care of it, and then blindly accept the solution. Out of fear of hackers, organizations tend to run to the first vendor with a security solution and colorful slideshow. This type of reaction most often leaves them as vulnerable as they were to start with, only with an expensive new toy making them feel more comfortable. Decisions made from fear often lead us to accept quick solutions that really provide no remedy to the problems at hand.
Fear of risks and threats to information lead all too often to the implementation of bad security practices. When humans fear something, the natural instinct is to run. Unfortunately, the direction in which we run is not always the wisest path to take, and may end up getting us in worse trouble than we were in originally. When inspired by fear, it is very easy for us to narrow our focus on anything that is expensive and has a security label on the front, especially when it is endorsed by known organizations and consultants. Such products may or may not help in specific situations, but have no chance of handling all security issues. Making information security decisions out of fear puts us at a much higher risk of making the wrong choices.
Marcus Ranum wrote a good article about the concepts of fear and hype in information security; as of this publication, it can be read at: www.ranum.com/pubs/dark/index.html
Combating the Fear Factor
One of the goals of this book is to help the reader make wise security decisions, that are derived from logical conclusions and not from fear. Security is at its peak when all the facts are present, and rational decisions are made without any intervention from fear.
Fear has its weaknesses. Ultimately, it can be conquered through knowledge. Using the knowledge presented in this book, you will be able to combat the fear factor through the development of a security mind.
Understanding the Fear Factor