Security newsletters regularly publish press releases, especially those with top 10 lists. And top 10s, which proclaim...
potential terrorist events or anything else that furthers the cause of fear, uncertainty, and doubt (FUD) are all the better. These lists make the rounds and get a great deal of attention, since they're generally more interesting than the latest vendor updates.
I was in the Philippines when I read the latest list from iJet, a travel risk management services firm, on the top 10 countries to avoid for business travel, which ironically included the Philippines. I can see that there would be many theoretical reasons to avoid the Philippines: The water makes you sick; taxi drivers try to rip you off and the person who lost the presidential election has advocated putting spikes on highways as a form of protest. The list can go on forever.
However, it can be reasonably argued that there have been more terrorist events inside the United States than in the Philippines. Sure, there have been some terrorist events in remote southern Philippine islands, but not widespread throughout the country. More importantly, the iJet study defines areas for avoiding business travel, though, there's little business to do on those southern islands. Does this justify placing the Philippines on iJet's list?
The cyberworld has it's own top 10 lists. These often predict some type of doom from malicious attacks and inundate us with the threat of the mythical "Electronic Pearl Harbor" -- the attack that will devastate the world, as we know it.
Does it really matter what the top 10 viruses are? Personally I believe it's more important to know that keeping antivirus software up to date prevents all of them, which makes the "Electronic Pearl Harbor" warnings even more useless and distorting.
In the mean time, common and preventable computer attacks and flaws accumulate to cause a higher loss than one devastating attack -- if it were to ever occur. The studies and news stories that report on FUD predictions focus on a mystical threat rather than a plan of action. This means that less is done to protect our information infrastructures.
From a traditional risk perspective, I was exponentially more likely to die during my flights to and from the Philippines than be killed by a terrorist incident in the country. For that matter, I was statistically more at risk of dying in a car accident at home than from a terrorist attack in the Philippines.
Therefore, in terms of traditional risk, your organization is exponentially more likely to suffer regular losses due to completely preventable computer problems than to be hit by cyberattacks.
While iJet's study did provide news sources the latest FUD, the sound bytes that came out of the report were misleading, and the usefulness was minimal and counterproductive. Sound bytes without the details distort planned actions. Did I need to avoid the Philippines? Clearly, not. However, I probably would have liked to know which three islands to avoid out of the more than 7,000 islands comprising the Philippines. Avoiding those three islands would be a reasonable action to consider. Avoiding the entire country is ridiculous.
The computer world is similar. Security practitioners need detail on which to base their decisions. They need to know the signature release dates for the most common viruses to determine the scope of the deficiencies in antivirus programs; they need to know what enables potential losses to know what to target in their security programs. Security professionals need to know what the highest payback countermeasures are as opposed to vague threats that provide useless detail.
About the author
Ira Winkler, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.