Truth About Computer Security Hysteria
Horror Stories 101 (semester 2)
Sunday, 14 January 2001
THE 27th ANNUAL Computer Security Conference & Exhibition took place in Chicago in November. A lecture titled "Horror Stories and How to Use Them" piqued my interest. I couldn't make the conference, so I ordered a cassette tape.
Let's just say I got an earful. Computer security expert Dan Erwin urged his audience to scare bosses with 'what-if' scenarios. He also told his audience not to worry about accuracy if they spout 'what-ifs' to non-technical people.
Erwin's lecture left a bitter taste in my mou-- waitaminit, that's just a side effect from my blood pressure medicine. I could rant all day long, but I'll limit myself to three quotes for health reasons:
"It's in the press, so I can use it." Hey, great! I embellish a story for my boss, who embellishes it for the CIO, who embellishes it for the reporter, who scares the shareholder, who scares the politician, who scares the CEO, who scares the CIO, who scares my boss, who scares me. Suddenly we've got a Y2K virus media fiasco on our hands. Does anyone not see the logical progression here? (Put your hand down, Dan.)
You know what really upsets me? This advice comes from a Certified Information Systems Security Professional. I'll repeat myself for the sake of argument: "can't we instead rely on empirical evidence?"
- [After Erwin read a news clipping:] "Good story? Sure, a darn good story. True? I don't know, but it's in the press, so I can use it."
- " 'This could be an electronic Pearl Harbor.' You put that on the bottom of a report, you think you'd get somebody's attention? Tough words. These are all good things you can use to get people's attention."
- "Did I just take a fairly small story and turn it into something much bigger? That's the point. Sometimes you can take a good story, or a small story, that had nothing to do with [your firm], and blow it into something that did have something to do with [your firm], and go from a few hundred dollars to a few million dollars. And I didn't stretch the truth at all. Bent it a bit, but I didn't stretch it."