Truth About Computer Security Hysteria
Horror Stories 101 (semester 2)Rob Rosenberger, Vmyths co-founder
Sunday, 14 January 2001
THE 27th ANNUAL Computer Security Conference & Exhibition took place in Chicago in November. A lecture titled "Horror Stories and How to Use Them" piqued my interest. I couldn't make the conference, so I ordered a cassette tape.
Let's just say I got an earful. Computer security expert Dan Erwin urged his audience to scare bosses with 'what-if' scenarios. He also told his audience not to worry about accuracy if they spout 'what-ifs' to non-technical people.
Erwin's lecture left a bitter taste in my mou-- waitaminit, that's just a side effect from my blood pressure medicine. I could rant all day long, but I'll limit myself to three quotes for health reasons:
"It's in the press, so I can use it." Hey, great! I embellish a story for my boss, who embellishes it for the CIO, who embellishes it for the reporter, who scares the shareholder, who scares the politician, who scares the CEO, who scares the CIO, who scares my boss, who scares me. Suddenly we've got a Y2K virus media fiasco on our hands. Does anyone not see the logical progression here? (Put your hand down, Dan.)
You know what really upsets me? This advice comes from a Certified Information Systems Security Professional. I'll repeat myself for the sake of argument: "can't we instead rely on empirical evidence?"