Angry Animal 16

Rebuttal: The Pyrrhic Benefit of FUD

Fri Jul 8 22:42:15 CDT 2011

security curmudgeon

This is a rebuttal piece to The Benefits of FUD (2011-07-07) by Emmett Jorgensen.

I wrote an article about Fear, Uncertainty and Doubt (FUD) back in 1999, after dealing with it in different capacities for years prior. The FUD we deal with as part of life and society is one thing; it is so pervasive that most don't give it a second thought. However, when FUD comes from an external source, there is typically a selfish reason behind it. The most common use of the term in the security industry is centered around companies using the unholy trinity as a sales mechanism. "If you don't buy our product, $badthings will happen to you!"

Jorgensen's article contends that FUD is actually beneficial, as it stimulates innovation and security. I could tackle this argument one of two ways. First, if he is correct, then it is a Pyrrhic victory at best. If our industry as a whole has to embrace and use FUD as a tool to spark innovation and acceptance of security, we have clearly lost the battle. Performing any action out of fear, rather than desire, is simply not as effective. By using fear as a motivator, you are not as vested in the action and you act out of desperation. This puts you at a disadvantage as that level of negative emotion can cloud your judgement and lead you to falter on subsequent choices or actions.

The second way I could tackle this argument...

Ah, FUD. Fear, Uncertainty, and Doubt. Enemy of skeptic IT Pros, ally of marketers everywhere!

I am not sure Jorgensen realizes how telling this opening is. Anything that is an enemy of skeptic IT pros, and a friend to marketers should be suspect.

Most innovations, IT or otherwise, come from necessity. Someone, somewhere (be it a business, or individual) sees a need and attempts to come up with a way to fill that need. It's part of what makes the world go round.

This is very true. This is also a perfect counter-argument to your own post. If necessity drives innovation, why do we need FUD to drive it?

Neither country wanted to be runner up in technology and innovation in an effort to prove global superiority. For years, FUD fueled many of the technological advances we enjoy today.

The FUD caused by the cold war led to the development of the Internet, the space race (and by relation satellite communication, moon landing, etc.), stealth technology and nuclear energy to name a few.

A good point, but I am still waiting for the other side of this. FUD also lead to nuclear stockpiling that plagues us today, societies that lived in constant fear of imminent death, the Vietnam conflict (and over 58,000 American casualties), government confiscation of towns, and a false sense of security when the "war" ended. We could debate the positives and negatives, but the point is there were negatives to go along with your list of positives. There are better ways to reach those positives, without the threat of war (or FUD).

Security vendors and IT professionals are mired in a war of their own; against black hat hackers and criminals attempting to compromise their valuable assets. The difference is this is more of a guerilla war, where the attacker is seldom seen until the damage has already been done.

Another good point, but a thought left unfinished again. If we are mired in a war against black hat hackers, why do we need FUD? We have mainstream news articles telling us of several breaches a day, TV news coverage of high profile hacks, and a database of 3,942 compromises involving sensitive information. Why isn't reality and grounded statistics a better motivator for security innovation and adoption? Wouldn't a better awareness campaign of how widespread the problem is do just as good as resorting to FUD? That along with a tiny dose of FUD based in reality (e.g., "you are likely to have at least one incident in the coming years") seem to be a perfectly acceptable and practical tool.

Regardless of the method, the FUD created by these attacks is driving development of new products and services. Security vendors are developing new products based on a perceived necessity on the part of infosec professionals. If the FUD didn't already exist to some degree, these products wouldn't be in production.

Cite your source please. Please name one product and one service that was developed as a result of FUD. You resort to a logical fallacy, saying that they are based on a "[FUD-based perception of] necessity" while not noting that they are a documented necessity. Further, would you qualify "new products"? Do you mean a truly new product or service, or do you mean a new twist on an old product, or a new vendor creating the same old products? As far as many in our industry are concerned, there hasn't truly been an innovative product in a long time.

True, marketers are quick to play up the fear associated with these attacks. However, it is simply hyping up an already existing problem. In turn, they will attempt to offer some sort of solution to the issue at hand. The solutions and products are hit or miss, but the point is they are being developed to address real life issues.

And this is where you lose me completely. Not only does one have to ask "why play up the fear if it is an existing problem?" Again, use reality as a driving force to sell the product if it has merits. You say that they will offer some sort of solution at hand, and even highlight the fundamental problem of your argument: "the solutions and products are hit or miss". The point is they are being developed? I don't know about you, but I don't want the "misses" being developed for any reason, FUD or otherwise.

Your job, as an Infosec Professional, is twofold:

* Second, once you have identified a legitimate issue, you must sort through the offerings available and determine which product(s) really solve the security issues you are facing.

Thanks, you summed up the entire problem with your argument in that one bullet point. Don't encourage something that makes our lives more difficult.

main page ATTRITION feedback