Leadership

IT should use a little fear to promote cyber security

IT shouldn't proclaim that the sky is falling, but Bill Detwiler thinks a little fear can be a powerful motivator for improving IT security.

In the above "60 Minutes" video, correspondent Steve Kroft spoke with former and current US government officials and private-sector security about the nation's vulnerability to cyber attack.

"If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker," Retired Admiral Mike McConnell told Kroft.

To most IT professionals, this revelation isn't, or at least shouldn't be, news. Before joining TechRepublic 10 years ago, I worked for a regulated utility--a power company. Even then, before anyone was seriously pushing a "smart grid" we were keenly aware of digital threats to our organization. But, just because IT is aware of a threat, doesn't mean the business is dedicated to addressing those threats. Corporate management is usually most focused on maximizing profit. (I am not referring to my former employer, but making a general statement about the disconnect that often occurs between IT staff and corporate leadership.)

In fact, this disconnect isn't confined to IT or even the corporate world. Whenever you have individuals or groups with different and/or competing interests, disconnects are common. Yet it is IT's job to help protect the organization from cyber threats, and in many cases the stakes are too high to allow a communication gap, lack of understanding, or just pure apathy to prevent good security.

Part of IT's security mission must therefore be to educate the greater community about relevant security threats and convince them to take or approve the necessary countermeasures. It's the second goal that's often the most difficult. Even your best descriptions of DoS attacks, rootkits, SQL injection attacks, social engineering, and all the other threats we face can fall on deaf ears unless you impress upon your audience the consequences of inaction. This is when fear can help.

Fear does not equal F.U.D (fear, uncertainty, and doubt)

Whether you're trying to convince senior management to ban USB drives or your three-year old not to touch the stove, fear is a powerful motivator. Yet, fear is a double-edged sword. If used inappropriately fear will win you more enemies than supporters and can undermine your ultimate goal of improved security. Therefore, I recommend the following guidelines:

  1. Avoid the hype. Be truthful and realistic. Don't make outlandish or unsubstantiated claims of IT destruction and massive financial loss, if the threats you're discussing aren't likely to cause such outcomes. Present the threat as you understand it, explain the likelihood of occurrence, and describe your organization's level of exposure.
  2. Temper fear with solutions. Once you've explained a threat, follow up with your best recommendations on how to mitigate it. You're goal is to motivate the audience into changing their behavior or giving their approval for an action, not merely to scare them. And, don't come in with an all or nothing plan. Be prepared to offer a range of mitigation options, which vary in scope and cost.
  3. Don't overuse fear. Remember the tale of the boy who cried wolf? If you constantly predict IT catastrophes that never materialize, your audience will eventually stop listening to you.
  4. Focus on an audience who can act. Narrowly target your message to those who can address the threat or have significant influence of those who can. Inducing fear in those who can't benefit from point 2 is counterproductive.

Is fear effective?

Yet, not everyone agrees that fear is an effective motivator. In April 2009, I published a ZDNet video on the possibility of a digital Pearl Harbor event. On the video, Bruce Schneier, noted cryptographer and Chief Security Technology Officer of BT Counterpane, suggests IT is better off avoiding fear as a motivator. "We're better as an industry, if we don't stoke fear, if we don't talk about the digital Pearl Harbor. People turn off from that," Schneier said.

I agree with Schneier's statement that IT shouldn't "stoke" people's fears unnecessarily--see all my above points. But, I still think a little fear can be a powerful motivator. And remember, all fear isn't created equal. Rationally explaining the negative consequences of not upgrading your network's intrusion detection system is a far cry yelling fire in a crowded theater. What do you think?

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

33 comments
geoff.botting
geoff.botting

Fear is someimes necessary to get people's attention. It shouldn't be overused and in my experience overuse just puts the warning into the poor quality marketing box but you have to get potential victims to take it seriously

Shellz937
Shellz937

Perhaps a little fear will go along way. I can't tell the countless times I have told my older users to don't write their passwords down. Yet everytime I get a call back to the same users, all I have to do is lift the keyboard up and there the password is. This goes back to educating our users. Telling them and perhaps showing them what can happen if they don't take precautions is best. We also need to take into account that we will still have users that don't listen, and are willing to give not only their passwords out but company information. If that is the case then we need to be more strict with our users and enforce the security policy and the consequences of their choices. Education is key but a little fear to the point where they understand may just be the thing to drive the information home.

JCitizen
JCitizen

member posted for the security "Czar". Is he really serious? Maybe we need FUD to get the reckless stupor going!!

The 'G-Man.'
The 'G-Man.'

We live our lives in fever In a choking sweat of fear In the heat of the night you can feel so much In the heat of the night I scream "Don't touch!" I remember a time when we used and abused And fought all our battles in vain I remember a time we thought that passion was free In the heart of the night... bodies aflame We live in fever... I hear your secret heartbeat I can hear your silent cries The kids have lost their freedom And nobody cares till somebody famous dies... I remember a time when we used and abused And fought all our battles in vain I remember a time we thought that passion was free In the heart of the night... bodies aflame Now we live, in a world of uncertainty Fear is the key - to what you want to be You don't get a say the majority gets its way You're outnumbered by the b*stards till the day you die...

kevaburg
kevaburg

The lyrics of a genius...

JCitizen
JCitizen

I don't remember the author. Sounds like a yuppie sonnet; as is derived from the form hippie/yippie. I loved that sixties show!

JCitizen
JCitizen

thanks for the rep kevaburg! :)

kevaburg
kevaburg

Iron Maiden is the one! It must be said that Steve Harris is one hell of a songwriter and those lyrics are a typical example! As for the 60s shows: I am just a little too young to remember.....:)

NotSoChiGuy
NotSoChiGuy

Be it horror stories from another firm in the same market (e.g. when I worked at a health care org, relaying info on how a different firm had botched HIPAA and the $$$ in damages it caused) or personalized demonstration (using the pw under the keyboard to craft resignation letter replete with vulgarity), I've found that offering real-world examples have worked best in getting through to users. As other have mentioned, Joe Average is neither interested nor knowledgeable enough to realize the extent to which computer insecurity can damage a firm. On top of that, we've become such a culture of hyperbole, superlatives and immediacy that most attempts at FUD would be ignored, anyway. Use the words enough (terrible, horrible, best, worst, greatest, etc), and they lose meaning and/or emphasis.

Neon Samurai
Neon Samurai

I've heard a few good comparisons based on explaining principals without use any security school words. "You keep your security dongle in the bag with your notebook... Do you also leave your house keys in the front door lock so it's more convenient to open the door?" It was a good talk from last September's HOPE 2009 presentations and has left me pondering the "talk about security without security words" problem.

kevaburg
kevaburg

I think the problem is that inducing a certain amount of fear in people can be healthy but then only if firstly, those people understand that the risks can in some form or another, be mitigated. Leading on from that is my second point of only inducing fear in those that can understand what the business repercutions of not acting could be. Simply telling people the sky will fall if they click on unknown attachments is not the way ahead. Explaining that they shouldn't do it as part of a greater security plan is normally more effective. In the FUD definition, uncertainty and doubt breed fear and noone should have to live in that sort of environment. Explain what and why. Use cleartext and user-friendly guides to ensure there can be no doubt and alot of the problems will dissolve away.

TheSwabbie
TheSwabbie

Its a delicate balance. The AVERAGE user/person has no clue what all this means. You cannot educate them enough because honestly.. people dont want to know because its not their cup of tea or whatever other reasons. They would rather be Blind, Dumb and Stupid. I say this because I've been in the industry since MSDOS 1.0 - No.. I'm not kidding, I worked with the first version of DOS. The world we live in now would be Alien to me If I could even have possibly invisioned it back in the early 80's. Without going overboard a healthy dose of fear is good. It prompts people into action. Trying to educate them will put them to sleep. However, the "boy that cried wolf" is something you dont want to fall into either.

trud
trud

I am not a destroyer of companies. I am a liberator of them! The point is, ladies and gentleman, that fear -- for lack of a better word -- is good. Fear is right. Fear works. Fear clarifies, cuts through, and captures the essence of the evolutionary spirit. Fear, in all of its forms -- Fear for life, for money, for love, knowledge -- has marked the upward surge of mankind. And Fear -- you mark my words -- will not only save Teldar Paper, but that other malfunctioning corporation called the USA.

SilverBullet
SilverBullet

I voted NO

Craig_B
Craig_B

I agree with the education aspect and not using fear. We should not be afraid of cyber attacks but be educated about the risks and the costs of mitigating the risks. Fear is an emotion and we need calm heads. I believe we should focus on moving things forward and providing solutions to minimize any risks.

TtFH
TtFH

Education is much better than fear-mongering. Be honest about the consequences of actions/inactions, and don't overstate. Treat people as though they have brains of their own, and don't be condescending or patronising. If people are aware of the consequences, they can make their own *informed* choices. If they are frightened, they will make *uninformed* choices.

trud
trud

Here is fire. Please insert finger. Yes it burns. Don't do that again.

seanferd
seanferd

People with a fear of heights do not make for good ironworkers. Those with no fear are likely to fail as well. But folks with a healthy fear and respect for heights work out rather well.

TheSwabbie
TheSwabbie

You are correct in your example.. I can relate a little to it - I was a Cable Lineman for a number of years after I left the Military. I used "Hooks" to climb poles and only a ladder when I couldnt climb. I was NOT scared of heights but had a healthy dose of fear to know that if I cut out of a pole.. I was going to get hurt or killed. Whether your 30 feet up or 300 feet it doesnt matter. Once you are over your body height it automatically kicks in. If Management is told of the possibilities (Accurately) and DOES NOT have fear of an impending crisis - they are unintelligent FOOLS. Over the years (25+) i've seen alot. From small networks to Enterprise level data centers. Upper Management who continually ignores the "Knowledgeable" people they've hired to KEEP THINGS WORKING AND SAFE are doing themselves a dis-service.

JCitizen
JCitizen

Conexxions!! Did I say that somewhere already?! I can just see that terrorist on the other end of the keyboard, looking like him, and hitting the [ENTER] key, to melt down the nuclear plant! And saying,"I kill you!!!" HA! =)

Neon Samurai
Neon Samurai

A friend working construction mentioned that most of the high iron workers where native due to not suffering the effects of vertigo when looking down from heights. In that case, it was a common genetic trait rather than respect of fear that made them better suited for the job. (edit; spelling)

trud
trud

F.U.D. forever...!

seanferd
seanferd

Judiciously inducing fear through information on the realities of the situation would not be FUD. In fact, you want to avoid the escalation of fear beyond reason. You definitely do not want to instill uncertainty and doubt, but motivate people to take the appropriate actions. If you were just having a joke, please disregard. ;)

trud
trud

sorta... I'd like my choice of choices but they would be inappropriate and only slightly more funny.

JCitizen
JCitizen

Kenner is FUUNNNNN!!!! :)

seanferd
seanferd

what it was that drove these admins out of the steppes. (But we don't really want to find out.)

seanferd
seanferd

The Fear of God...NEW! Frommmmm Kenner. Popularly known simply as "Teh Fear". Whatever. It wasn't all that funny to me before, but it sure is now. Thanks, JC! I needed a laugh. :^0

JCitizen
JCitizen

Don't go near that yellow snow!!" :^0

JCitizen
JCitizen

Who trade marked that Mattel? Only you seanferd could engender such a comic comparison! ROTHFLOL!!! :^0 :^0 :^0

trud
trud

and steeped in magic mist... they proclaimed to all avoid the yellow snow. Their commands followed as if they were spake thus from the sharp hard mouth of god. Angels or Daemons... all... BOFH

santeewelding
santeewelding

They thundered, striking fear in every heart, these admins...

seanferd
seanferd

Sometimes it does seem like it would be a good thing to instill The Fear Of God &trade in some users, no? :D

boxfiddler
boxfiddler

then yes, you do have another choice. If there's no other option, it's not a matter of choice.

Editor's Picks