Calling out Security Woo-Woo

Psychology has had a so-called replication movement for some time. It was established as a result of some rather “out there” claims, the most-quoted example being that ‘nudges’ could leak out of the future and affect people’s behaviour even before they had been applied.

You can see the kind of thinking behind the movement in Stuart Ritchie’s book ‘Science Fictions’. The aim was to clean up the evidence base, and establish processes that would ensure the reliability of published results going forward.

The suggestion here is that cyber needs its own version of the replication movement, because the core of the practice amounts to not much more than folklore. Stuff repeated by word of mouth.

A degree of hype is to be expected. But what’s happening goes far beyond that. There’s no critical thinking. When a company suffers problems after a security incident, it’s automatically assumed that the security incident must have been to blame. This is what’s called ‘superstitious thinking’. Two events happen close to each other, so one must have caused the other. When an incident is declared, there’s no thought given to placing the impact into any sort of context, such as comparing it to recent non-cyber incidents. In most cases, the statistics underlying cyber incidents are simply ignored.

The management of cyber within an organisation needs to be owned by the management team, if it’s going to work. Security is too important to be left to the security team.

This Website

Depending on interest, I’ll open up the ‘.org’ version for email. So if a bloke in a pub tells you that computer crime will amount to $24Tn in a couple of years, mail it in, and I’ll do my best to check whether or not that’s backed up by the available evidence. On that one specifically, in order to avoid unnecessary anxiety waiting for the answer: it won’t. Or if some bloke in a pub tells you that Travelex went broke because of a ransomware attack, do mail it in. If you’re feeling particularly anxious about that one, go to their web site (https://www.travelex.co.uk) and see if they are in fact, still in business.

The kinds of things you’ll see here are:

For the moment, I’ve switched off comments, registration etc. – this is meant to be a read-only site. If you’ve got any strong feelings either way about the idea, post them via LinkedIn (which is almost certainly the route you took to get here in the first place).

If it all kicks off, I might even cover the financial impact on companies when they conform to GDPR, and the pointlessness of ‘notice and choice’ mechanisms, such as the one I felt compelled to add to this website.

Full Disclosure

To date, these posts have been made up of expansions of points made in my book (“The Business of Cyber”), interspersed with material from new research.

Obviously there’s a limit to the material I can post based on the arguments in the book (for one thing, the publisher knows where I live), so if you have an idea for an area of cyber that you think should be looked at, message me on LinkedIn. I strongly believe that the practice of cyber can be made more effective, but we first have to dispense with the woo-woo.

First published 8th April 2024

Edited 27th May 2024

Edited 1st July 2024