University of Wisconsin–Madison
Cyber security concept

Moving beyond FUD, Part II

As a general rule, fear, uncertainty and doubt (known as FUD in cybersecurity circles) are discouraged as an effective method of influencing audiences. Is there ever a situation where FUD is useful?

Sam Curry is the Chief Security Officer at Cybereason which is a popular consulting firm.  Sam writes that in small doses, FUD can be useful in gaining attention or spurring groups to action.  He goes on to note the truth is that serious cyber-attacks will continue to happen and there are many threat actors out there who can employ advanced tools to devastating effect. It’s also true that many organizations are not paying enough attention to key security issues such as single points of failure and resiliency.

We need to step up and create the opportunity for more meaningful dialogue around the most likely risks and how our teams can work together to address them in a more practical manner.  We need to draw the focus to the objectives of ensuring systems and data availability and integrity, along with ensuring that we preserve the confidentiality of Restricted and Sensitive information.

The audience for FUD can be a mixed bag, generally including users, business leaders and the board of directors. Those who employ FUD might include security teams, vendors trying to sell their products or services, and system owners who don’t want the security team breathing down their necks.  Let’s look at some real-life examples of FUD and how we can change the message to reduce or eliminate the FUD aspect of the communications we generate.

FUD for the Users

Users are the most popular target for FUD.  We tell them tales of evil and try to include convincing metrics:

  • Social Engineering: Verizon DBIR 2018 shows 1,450 phishing or pretexting incidents with 381 confirmed data breaches.  47% stole personal data, 26% corporate secrets, 22% internal information and 17% harvested credentials.
  • Nearly 50% of U.S. broadband households are very concerned that someone will access their connected devices or data without permission

What if we changed that message to read more like: 

“Here are a few tips you can easily use to secure your corporate workspace and your home network” and include practical steps or links to a set of useful knowledge base articles.

FUD from Security Teams, Vendors and System Owners

Okay, to be fair, the security teams and vendors like to send simple “shock and awe” messages the communicate urgency:

  • “The GDPR Deadline is less than a month away…” or
  • “Are your mobile apps leaving you vulnerable?”

Likewise, a system owner might make statements the give voice to their inappropriate perspectives of doubt by saying or using phrases like:

“Part of the problem in IT is customers have no idea what they want – they get promised the world, but they don’t understand the terminology.”

What if they took a more direct approach?

“Here is our plan.  Let’s discuss what suits you best …”

FUD for Business Leaders

When trying to influence our leaders to take action, we may return some of our stress which results from knowing how much power they wield.  Perhaps this is the message:

“According to data compiled by (insert obscure source here), around 58 records are stolen every second at an average cost of $141 each.”

What if we assumed the business leaders were interested in helping – the message could state simply “Securing your information systems could save your budget from incurring unnecessary charges.” And trust them to do the right thing?

FUD for the Board

FUD merchants might try to influence the Board of Directors with the same shock inducing lines as the vendors and security teams use:

  • “Nation-State attackers are stealing research data from American universities.”
  • “Cybersecurity programs must be funded as 3 – 5 percent of budget (or revenue).”

A more positive and forward looking statement might be:

“As we continue to appropriately resource, implement and refine security controls, our risk is reduced.”

Subtle (?) Manipulation

Vendors use subliminal manipulation including repeated blog posts and expert panels on emotional topics. They often overtly hype relatively minor events and stimulate the media to run FUD-oriented stories that promote the services in their portfolios.

Look at the language in the headlines:  kill chain, cyberwar, digital Pearl Harbor, pending cyber disasters, cyber 9/11, etc.

Not so subtle manipulation might include statements like “cybersecurity attacks are purported by winged ninja cyber monkeys who sit in a foreign country and who can compromise your machine just by thinking about it…” Ian Levy – Technical Director at UK National Cyber Security Centre

How to message without FUD

Think about the behaviors you want to change. Use a sound and forward-thinking communications strategy to influence culture change and remember your users are in control of the protected data. 

CISOs and cybersecurity teams should direct their cyber energy and InfoSec knowledge toward making users the strongest link. Organizations are protected best when they develop a community of experts to improve institutional competence. To build trust in the community, focus on the activities that build relationships and trust through common understanding. Work to establish strategic partnerships with stakeholders so that as you champion their reasonable and effective security controls they can be champions of your program. Enable a culture that values cybersecurity principles and benefits from reduced risk.

Communicate early and often and use messages that speak in the language of your audience. By communicating in a positive, non-FUD manner you can promote:

  • Awareness – know your data and where it lives, works, and sleeps
  • Services – define and resource your services to reach the endpoint user and system owner on equal levels
  • Education – offer and promote education and awareness events
  • Environments – build secure environments for the “crown jewels” and do not be afraid to segment your networks to allow easy access to the Internet

The Road Ahead

“Those with a reputation for telling harsh truths will be completely ignored in an age of comfort and complacency. They will be aggressively sought after in times of danger.” Author unknown

Credibility and trust should be the focus when communicating about cybersecurity. No matter the audience, we all need to represent the truth in the language our users understand. Be careful not to over message the community, especially following an event.

Your tone says a lot. If you inundate your audience following an event it creates a sense of fear. Be clear in your message and promote the good news instead of dwelling on unrealistic risk. Know when to let the community relax and breathe deeply.

FUD may seem like a good idea from a liability perspective – after all, you warned them! The trouble is that FUD by itself does not move the community forward.

Look around – the more successful programs are those that engage the community in positive and logical thinking based on facts. Let your audience know where your program stands and how you can help.

Be forward leaning enough to know and speak the truth. In those times when your voice is really needed, your community will know whom to seek.