I have a lot of respect for Lenny Zeltser. He teaches how to analyze and combat malware at SANS Institute, where he is a senior faculty member. He is also a Board of Directors member at SANS Technology Institute and an incident handler at the Internet Storm Center.To say I’ve learned a lot from him over the years would be an understatement.I just came across a fresh blog post he published yesterday called “The Contagious Smell of Fear in Information Security.” This one sucked me in, because I’ve long believed that decisions made through fear always end in disaster. When we’re in the grip of fear we’re not seeing clearly. We’re in fight or flight mode, and when we take flight while trying to put a solid security program together, a bunch of broken pieces are left on the ground. Zeltser essentially makes that same point in his post. He writes: As I read various research regarding how people perceive security risks, I am amazed by the number of physiological and neurological factors might seem irrelevant, yet have a an enormous effect on our decisions. For instance:Choice fatigue might effect security decisions. People’s brain gets tired after making choices, such as deciding whether a security alert is worth investigating, leading the person to make the easiest choice by staying with the status quo.Sleep-deprivation shifts people’s common inclination to avoid loss towards to pursuing gain. As the result, decision-makers who haven’t gotten enough sleep favor expenses that contribute to potential business growth, rather than spending money to avoid possible losses.Anxiety is contagious among social animals and humans. By rehashing security topics among members of the security community, we are infecting each other with anxiety that might be disproportionate to the actual risks.We rarely account for these extraneous factors when assessing what elements influenced a decision related to security risks. Smell might be another component that we rarely consider.What’s the point, you ask?Lenny continues: First, we need to recognize that people’s decisions related to security risk aren’t based purely on rational analysis of factual data. We’re affected by external factors, such as tiredness and anxiety. Second, we need to be careful when using fear to capture the attention of readers or customers. Fear can be contagious, which might lead to the state of group anxiety that will be removed from reality. Moreover, excessive anxiety can scare people into inaction.Good advice. I hope readers take it seriously.–Bill Brenner Sign up today. Get your morning news fix with the daily Salted Hash e-newsletter! one-stop view of latest business threats. We created it for you! Bookmark it! Use it!CSO’s Daily Dashboard gives you a Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe