Why Fear, Uncertainty and Doubt (FUD) fails in Digital Security and being BAD prevails

Why Fear, Uncertainty and Doubt (FUD) fails in Digital Security and being BAD prevails

We all know these cybersecurity specialists or security software sales representatives that want people to act in a certain way or buy certain products by saying things like, “if you don’t do (or buy) this, you will be hacked.” Sadly, this way of communicating is still an often-used approach in Information Security to get the message across or motivate people to “buy” their products or service. We call this approach FUD. FUD stands for Fear, Uncertainty, and Doubt and was introduced in the late eighties. As of 1991, the expression became fashionable for any form of disinformation used against the competition. FUD is a simple but effective strategy that supplies the audience with negative, fake, or false information to influence their behavior and decisions. FUD is so effective because adverse events have a more significant impact on our brains and associated attitudes than positive ones. In psychology, this is called negative bias[1]. Negative bias can have an effect on behavior as well as your decisions. This is also why the news often spreads negative news because negative news draws greater attention and therefore sells.

Although this might be effective in the short term to get things done, this won’t be a very successful approach in the long term. Here’s why.

FUD has no lasting value

FUD doesn’t align with your security strategy

FUD can force people to make decisions to do security-related actions or buy security products and services. However, making decisions based on FUD will not be the smartest or wise to do in an economic sense. The strategic objective of any risk management program should be to provide the highest desirable security, excellent end-user experience at the lowest cost. Just buying security products or services out of Fear will most probably not be the most cost-effective. For example, you, as a CISO, just drafted a new strategic plan to invest in building up skills and capabilities since your last redteaming exercise just proved the current firewall had default passwords and rules in them. So, for the long term, you want to invest in training for the engineers. And at the same time, your IT Security manager buys a new firewall since they are afraid that the end of support might endanger the firewalls working. But if you don’t have the in-house skills to implement and maintain it, it does not make sense. Software engineer Grady Booch famously said, “A fool with a tool is still a fool.” 

Thus, executing specific security improvements because of FUD might have a short-term gain but might interfere with your long-term strategy. 

Companies value will increase instead of decrease after ransomware

Paul Bischoff from Comparitech[2] analyzed historical share price data from some companies listed at the New York Stock Exchange that were hit by ransomware. They noted that share prices plummet 22% on average immediately after a ransomware attack. However, the initial dip is short-lived, and prices mostly recover within a day, and stocks are back to outperforming the market within ten business days on average. Share prices rose 4.4% on average six months after a ransomware attack, exceeding the rest of the market with 11.2%. The research also noted that Ryuk ransomware had the most significant negative impact on the share price. Share prices of companies hit by Ryuk suffered far more than those hit by Maze. Share prices fell nearly 44% initially, and although they recovered, at the end of six months, the average share price was about 41.8% lower.

The reader who is also an active trader on the stock market might now consider purchasing some Ransome As A Service and go short on a particular stock. We don’t want to encourage anybody to do this since most of the time, and you will be caught, similar to the majority of the groups analyzed by Bischoff[3]. Denis Dubnikov, the co-founder of Ryuk, was detained in the Netherlands recently. The FBI says that $400,000 worth of cryptocurrency from a Ryuk ransom payment passed through his account[4].

People will get FUD fatigue

When FUD is used over and over again to get things done, management will get FUD fatigue. Like negative news repeating itself about a particular event makes people passive and non-responsive to that item and will no longer be triggered by it. Management will take every new fear a little less seriously. For example, 20 years ago, security services were often sold with Fear that a company would be hacked, and the company would be on the front page of The New York Times or The Wall Street Journal. Nowadays, hacks and ransomware are a fact of life of which the boardroom is fully aware. However, in the firm’s factory, there is often a lack of knowledge in middle management about what needs to be done and how we should deal with things. In a previous blog, we noted eight ways to “fact-based” inform the CEO to avoid FUD fatigue.  

Also, when FUD is constantly used, and nothing happens, the digital security version of the boy who cried wolf comes into play. Meaning that if you ask for help when it is not needed, the effect is that one is not believed when one does need help[5].

Too much FUD will suffocate innovation

When an organization is under the impression it is under the constant stress of a threat, it will focus on its core and therefore limits innovation. This effect is called Threat Rigidity (Barry M. Staw, 1981). Mitigating the risk of the threat and potential new threats will assist an organization in moving out of this state and back into an innovative shape. This means that FUD can suffocate innovation or stop people from creating new ideas. A significant role of the Digital Security Leader is to mitigate cybersecurity risks so organizations feel safe enough to move into an innovative organization (Weeks, 2021)

Stop FUD, and let’s be BAD 

FUD might be a suitable approach to get people’s attention. Audiences are often intrigued by stories about hacks and cyber breaches, which can be used as a “teachable moment.” However, after getting the attention, the focus should go onto the actions that need to be taken. We propose to be instead of doing a lot with FUD to call security on the agenda, let’s try being BAD (Brave, Assuredness, and Daring). Let us explain what we mean with this acronym: 

Brave

Any leader in security should be willing enough to step up and put themself out there. Digital Security Leader should be Brave, meaning to have or show mental or moral strength to face danger, fear, or complex discussions. It is about having or showing courage[6]. In war or a crisis, people tend to follow the Eagle rather than the Duck. In our book, we generate 12 essential lessons to act as an Eagle to combat silent enemies. Those are the enemies we can’t see with our own eyes, but we know, feel and sense that it is there. The Eagle sees and hears his target from miles away. To win this cyberwar, we need more diligent, razor-sharp minds, determined mindsets, and craftsmen to observe, address and deal with an issue or incident, an Eagle, we would say. These people are brave, deliver tangible results, and often don’t have the time to celebrate them. They are servant leaders that are busy enabling the business by removing security measures where they can be removed to achieve innovation. They form coalitions inside and outside the company, sometimes with the enemy. These are the people that usually don’t just stand, tell fake stories and watch during a crisis, but they act without going for fame[7]

Faced with what is right, to leave it undone shows a lack of courage.

Confucius

Assuredness

The definition of Assuredness is; great coolness and composure under strain. It means that instead of Uncertainty, Digital Security Leaders should give Assuredness. They should be able to provide Management assuredness by building a relationship, communicating about developments and actions, and giving them trust by showing results. This way, Management, and the Business can focus on their core processes and innovation instead of being scared. A great example is Ad Krikke; he was the CISO of DSM, a large international firm specializing in solutions for Health, Nutrition & Bioscience. Krikke collaborated with his Management Board in multiple sustainability projects for the company to achieve its goals. He co-created a privacy-proof delivery channel of just-in-time medicine prescriptions. The composition of medication doses was precisely adjusted to the patient’s treatment plan, whereby, of course, privacy details such as weight, blood pressure, height, and age were required but needed assurance throughout the entire supply chain. Krikke points numerous innovative projects in his book: A Sustainable Digital Economy, Not Fear, But Trust Connects.

Another example of how assuredness can be achieved is monetizing the value of good security via economic models such as Return on Security Investment (ROSI) and Balanced Score Cards. In this blog article, “Digital risks to the business, what do they cost?” we move away from FUD to fact-based Assuredness. By making the potential costs transparent and using them in the ROSI calculation, you make it tangible for the company what you try to protect with your investment. This makes it “easier to sell” it to the board to get the investment approved. This successful approach is also taught at Antwerp Management Schools executive master in Cybersecurity[8]

To do just this, the Digital Security Leaders might need to develop real-time dashboards to have real-time facts that show what goes wrong and report what has been improved and is going well. This fact-based reporting becomes vital in case of an incident. Not only tell what went wrong, but also what measures worked very well, which prevented the security incident from becoming a major disaster. We wrote an extensive piece on building a real-time security dashboard that provides real-time insights into the organization’s security status, thereby providing boards with more comfort. This article can be found here[9]

Daring

In business and life, you need to have the quality of being brave and willing to take risks[10] to make any progress. Without daring to take risks, you will most probably make organizations less effective, suffocate innovation, and security will not have the most optimum total cost of ownership. As an example, what can be daring is the municipal of The Hague in the Netherlands organizes the Hâck The Hague contest every year. In which about 200 hackers are invited to hack the city systems. Or the University of Maastricht in the Netherlands published the full report of a significant hack they faced, which gave a detailed insight into the cause. Instead of getting a lot of blame or inadequate media coverage, others hugely appreciate these actions. 

Next, the Digital Security department should not be the Department of Profit Prevention but should enable securely doing business. It is more and more a company ticket to win. In some cases, certain calculated risks must be taken to have a competitive advantage in the market. And FUD sellers only stand in the way. 

By: Mark Butterhoff & Yuri Bobbert.


[1] https://en.wikipedia.org/wiki/Negativity_bias

[2] https://www.comparitech.com/blog/information-security/ransomware-share-price-analysis/

[3] https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya

[4] https://therecord.media/us-detains-crypto-exchange-exec-for-helping-ryuk-ransomware-gang-launder-profits/

[5] The Cry Wolf effect; If you cry wolf too often, people will stop believing you.

[6] https://www.merriam-webster.com/dictionary/brave

[7] https://12ways.net/blogs/stop-chasing-the-cyber-security-ambulance/

[8] https://www.antwerpmanagementschool.be/en/program/executive-master-risk-cyber-security-management

[9] https://link.springer.com/chapter/10.1007%2F978-3-030-73100-7_58

[10] https://dictionary.cambridge.org/dictionary/english/daring

Barry M. Staw, L. E. (1981). Threat Rigidity Effects in Organizational Behavior: A Multilevel Analysis. Administrative Science Quarterly.

Weeks, M. (2021). Threat Rigidity in Cybersecurity. SANS Institute.