• United States



Security through fear often leads to stupidity

Jul 19, 20113 mins
Data and Information Security

I have a lot of respect for Lenny Zeltser. He teaches how to analyze and combat malware at SANS Institute, where he is a senior faculty member. He is also a Board of Directors member at SANS Technology Institute and an incident handler at the Internet Storm Center.

To say I’ve learned a lot from him over the years would be an understatement.

I just came across a fresh blog post he published yesterday called “The Contagious Smell of Fear in Information Security.”

This one sucked me in, because I’ve long believed that decisions made through fear always end in disaster. When we’re in the grip of fear we’re not seeing clearly. We’re in fight or flight mode, and when we take flight while trying to put a solid security program together, a bunch of broken pieces are left on the ground.

Zeltser essentially makes that same point in his post. He writes:

As I read various research regarding how people perceive security risks, I am amazed by the number of physiological and neurological factors might seem irrelevant, yet have a an enormous effect on our decisions. For instance:

Choice fatigue might effect security decisions. People’s brain gets tired after making choices, such as deciding whether a security alert is worth investigating, leading the person to make the easiest choice by staying with the status quo.

Sleep-deprivation shifts people’s common inclination to avoid loss towards to pursuing gain. As the result, decision-makers who haven’t gotten enough sleep favor expenses that contribute to potential business growth, rather than spending money to avoid possible losses.

Anxiety is contagious among social animals and humans. By rehashing security topics among members of the security community, we are infecting each other with anxiety that might be disproportionate to the actual risks.

We rarely account for these extraneous factors when assessing what elements influenced a decision related to security risks. Smell might be another component that we rarely consider.

What’s the point, you ask?

Lenny continues:

First, we need to recognize that people’s decisions related to security risk aren’t based purely on rational analysis of factual data. We’re affected by external factors, such as tiredness and anxiety. Second, we need to be careful when using fear to capture the attention of readers or customers. Fear can be contagious, which might lead to the state of group anxiety that will be removed from reality. Moreover, excessive anxiety can scare people into inaction.

Good advice. I hope readers take it seriously.

–Bill Brenner

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a