The database of dangerous assumptions

A powerful line of defense in protecting vulnerable assets and stopping malicious attacks.

In “Algorithms don't have biases, and other dangerous cyber-assumptions,” I addressed dangerous beliefs that have consequential effects on protecting vulnerable assets and preventing malicious attacks. For example, assuming algorithms don’t make assumptions may result in depending on faulty data leading to a weak defense.

The video in this blog reinforces the concept that assumptions are part of your everyday decision-making process and that to deny making them is unproductive and potentially threatening.  Click here or on the embedded video below to watch:

I like this video because it’s a simple reminder of how easily we make and invest in our assumptions. As a result, we end up focusing on just one solution (holding the bag) instead of seeking alternative data that leads to the real solution. 

For example, in cybersecurity perhaps your organization spends its time primarily defending against outside attackers. This requires significant time, money, and energy. But what if the most-deadly attack was to come from an internal source? How would this change your assumptions in creating a holistic defense strategy?

Meet DAD: the antidote to the mother of all cyber and non-cyber screwups

One of the difficulties in managing assumptions is identifying them. After all, most assumptions are made subconsciously and taken for granted. To help address this issue, we created the Dangerous Assumptions Database (DAD): popular expressions that tell you an assumption is in play. 

Below are a sampling of those dangerous assumptions relating to both generic and security terms. Listed first is a common phrase often said, followed by what is actually being assumed; a dangerous assumption that needs to be challenged. The reason we like the acronym DAD is that, as one leading CEO said, “assumptions are the mother of all screwups.” DAD is part of the antidote. 

Try discussing these phrases at your next team meeting and ask people to interpret what is really being said. You’ll be surprised how many divergent opinions are generated from just one dangerous assumption. Or, better yet, create your own database of phrases. And if you do, please share them with me, so I can add to DAD to keep spreading the wisdom.  

What is said = What is being assumed

  • I can’t = I have no power
  • This is not the way we do it around here = There is only one way to do this
  • What don’t you get? = The world thinks just like me
  • This is good code = I don’t have the time to double-check it
  • We have the superior technology = No one can do what we can
  • Follow the algorithm = Algorithms don’t make assumptions
  • Biometrics are better than passwords = Fingerprints can’t be lifted easily
  • We are not a target = We are too small for anyone to care about and hack
  • Cybersecurity is too complicated to understand = I’ll leave it to others to figure out
  • The government will protect us = The government is technologically superior
  • My ISP protects my organization = Those in charge know what they are doing

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.