Hoaxes, myths,
urban legends




About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Horror Stories 101 (semester 2)

Rob Rosenberger, Vmyths co-founder
Sunday, 14 January 2001

THE 27th ANNUAL Computer Security Conference & Exhibition took place in Chicago in November. A lecture titled "Horror Stories and How to Use Them" piqued my interest. I couldn't make the conference, so I ordered a cassette tape.

A computer security lecture on "Horror Stories and How to Use Them" urges people to scare bosses with 'what-if' scenarios.

Let's just say I got an earful. Computer security expert Dan Erwin urged his audience to scare bosses with 'what-if' scenarios. He also told his audience not to worry about accuracy if they spout 'what-ifs' to non-technical people.

Erwin's lecture left a bitter taste in my mou-- waitaminit, that's just a side effect from my blood pressure medicine. I could rant all day long, but I'll limit myself to three quotes for health reasons:

  1. [After Erwin read a news clipping:] "Good story? Sure, a darn good story. True? I don't know, but it's in the press, so I can use it."

  2. " 'This could be an electronic Pearl Harbor.' You put that on the bottom of a report, you think you'd get somebody's attention? Tough words. These are all good things you can use to get people's attention."

  3. "Did I just take a fairly small story and turn it into something much bigger? That's the point. Sometimes you can take a good story, or a small story, that had nothing to do with [your firm], and blow it into something that did have something to do with [your firm], and go from a few hundred dollars to a few million dollars. And I didn't stretch the truth at all. Bent it a bit, but I didn't stretch it."

"It's in the press, so I can use it." Hey, great! I embellish a story for my boss, who embellishes it for the CIO, who embellishes it for the reporter, who scares the shareholder, who scares the politician, who scares the CEO, who scares the CIO, who scares my boss, who scares me. Suddenly we've got a Y2K virus media fiasco on our hands. Does anyone not see the logical progression here? (Put your hand down, Dan.)

You know what really upsets me? This advice comes from a Certified Information Systems Security Professional. I'll repeat myself for the sake of argument: "can't we instead rely on empirical evidence?"