Vendor math doesn't add up on federal security priorities

Federal agencies given recommendations based on misleading interpretations of the statistics

arithmetic math graffiti
dreamsjung via Flickr

According to a new report sponsored by an IT performance management software vendor, federal agencies aren't spending as much as they should on battling internal threats -- the kinds of threats the vendor's software is designed to help protect against.

But the recommendations were based on misleading interpretations of the results of the survey of 200 federal IT professionals who were asked about both internal and external threats and their security spending priorities.

"What was surprising was that they identified careless and untrained insiders was one of the biggest threats, where the investment was focused was on the external side," said Chris LaPoint, VP of product management at Austin-based SolarWinds Inc., the vendor that sponsored the survey.

He shouldn't have been surprised, since the question was rigged from the start.

Respondents were asked to choose which of eight different threats was of concern to them -- two of those threats were internal and six were external.

That is, respondents were choosing between malicious insiders and careless insiders on one hand, and six different external groups on the other -- ordinary hackers, foreign governments, hacktivists, terrorists, for-profit criminals, and industrial spies.

Careless insiders had the most responses, at 53 percent, followed by the general hacking community at 46 percent, foreign governments at 38 percent, hacktivists at 30 percent, then malicious insiders at 23 percent, and finally terrorists, for-profit crime and industrial spies.

But using this question to demonstrate that careless insiders were the biggest threat was a case of comparing apples to oranges. After all, if the insiders were split into six categories as well, instead of two, it's much less likely that they would have come up on top.

And, in fact, the implications that the vendor drew from this question -- that federal IT professionals were more worried about careless insiders than anything else -- were contradicted by other survey responses.

However, instead of admitting that the question was rigged to favor internal threats, LaPoint argued that there was another explanation for the contradiction.

"One might justify this discrepancy by posturing that malicious external threats are more damaging, even if they aren’t the largest source of threats," he said.

One of those contradictory questions asked how much agencies' concern about particular threats increased or decreased over the past two years.

Concern about malicious external threats increased for 81 percent of the respondents. Concern about malicious insiders increased only 52 percent, and concern about careless insiders increased 53 percent.

Meanwhile, spending to battle malicious external threats increased by 69 percent, and spending on malicious and careless insiders rose by 46 and 44 percent, respectively.

"A greater proportion of respondents indicate concern and investment of resources has increased significantly or somewhat for malicious external threats relative to insider threats," confirmed Laurie Morrow, the analyst at Market Connections who oversaw the study. "Investment in resources lags slightly behind concern for all three categories of threats."

So that's about reasonable -- spending lags behind concern pretty much everywhere.

The vendor's press release second highlighted statistic is another misleading one, that "64 percent believe malicious insider threats to be as damaging or more damaging than malicious external threats."

At first read, that makes it sound like respondents were more worried about insiders than outsiders.

In fact, only 26 percent percent thought that insiders were potentially more damaging -- 37 percent thought that outsiders were, and 38 percent thought the two threats were about equal.

Notice the slight of hand?

Those who thought the two risks were about equal were lumped in with those who were more worried about insiders. If they were lumped in with the other camp, the quote would have been "75 percent of respondents believe malicious external threats to be as damaging or more damaging."

How does the vendor explain this? By arguing out that the statements was technically correct -- and that even if only a quarter think that insiders are a bigger threat, it's still an important number.

"More respondents see malicious external threats as more damaging than malicious internal threats," admitted LaPoint.

"But the majority see the two as equally damaging, and still more than a quarter see insiders as more damaging," he said. "Those that see insiders as more than or equally as damaging as outsiders are, in our opinion, quite high, and we’d think the concern and investment to prevent them would be correspondingly higher."

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)