Archive

Posts Tagged ‘FUD’

The Placebo Effect of FUD

December 16th, 2010 No comments

The Placebo Effect

Irving Kirsch, psychologist at the University of Connecticut, and Guy Sapirstein did several experiments on the effectiveness of the placebo effect.

[Irving Kirsch] and Guy Sapirstein analyzed 19 clinical trials of antidepressants and concluded that the expectation of improvement, not adjustments in brain chemistry, accounted for 75 percent of the drugs’ effectiveness (Kirsch 1998).  ”The critical factor,” says Kirsch, “is our beliefs about what’s going to happen to us. You don’t have to rely on drugs to see profound transformation.” In an earlier study, Sapirstein analyzed 39 studies, done between 1974 and 1995, of depressed patients treated with drugs, psychotherapy, or a combination of both. He found that 50 percent of the drug effect is due to the placebo response.

The problem is that “all placebo effects eventually wear off, thus making the placebo effect impractical for long term or chronic medical matters.”

Fear, Uncertainty, Doubt

In the same way, the information security industry, and arguably the nation-state at large, regularly uses fear, uncertainty, and doubt – or F.U.D. – as a method of enticing people to take certain actions/reactions.  We take this easy way out because it’s a lot easier to tell a scary story than to explain the complexities of reality.

A large data breach happens and it cases a state of fear that, for a short term, triggers a fight-or-flight response.  Some people will use this to reign in new regulation, laws, or increased spending.  We saw this in response to 9-11 and we see it every day in businesses.

The problem with this method, aside from the ethical issues with its use, is that, like the placebo effect, it eventually wears off and thus is ineffective for long term use.  At which point, you either need to reinforce the fear, which typically leads to acceptance (sometimes in the form of cynicism), or you need to replace the placebo of fear with facts.

P.T.S.D. and Data Breaches

Cognitive behavioral therapy is a well known and accepted method for dealing with post traumatic stress disorder (PTSD).  It works by slowly and gradually exposing the individual to a feared state in a safe and reassuring manner.  The old memories are not erased but the new memories are additive in providing a more positive association with the memory experience.  Reinforced FUD takes that same method but drives us in a regression path.  Instead of moving beyond the fear it reinforces it further driving it inward and eventually preventing the subject from functioning (rationally) all together.

Only reinforced facts about a situation can help enable individuals with the self confidence they need to survive potentially negative situations (such as a data breach) and move beyond them instead of reacting negatively to them.  Once armed with knowledge you can make rational decisions based on evidence rather than emotion and knee-jerk responses.

Equipped with knowledge and well reasoned data enables us to plan and prepare rather than always existing in a reactive state.

Measuring Risk

One way to arm ourselves with confidence is to measure the risk in a system so our response to securing it can be made in a planned manner.  When people discuss measuring risk there are a number of items that come to mind.  It is important to remember that we are not trying to measure technical risk, though that is one part of the equation.  We want to measure financial risk.  By measuring the financial risk that a system, department, or enterprise  exposes us to we can calculate and plan a method of securing the data.  This plan should take into account the financial liability or loss we are trying to avoid or mitigate.

This method differs from others in that it does not attempt to calculate the cost of a data loss per record, as that could vary based on the exposure in a system.  It does not attempt to calculate the technical risk of a system or department because that could have no direct correlation on the financial losses.  It does not attempt to calculate the value of the money spent, as without a threshold for success (or associated data breach) there is no way to optimize this measurement. The focus is entirely on the overall risk associate with data loss based on legal, regulatory, and operational costs.

Presently, we each need to create this calculation and thus reinvent the wheel for every environment, but why?

The risk of exposure should be accessible in data breach reports.  The cost of financial fines and/or penalties is publicly listed by the FTC and payment card brands.  The cost of state data-breach-notification costs is generally accepted within a range.  We know data breach statistics by industry and type of business.

Why can’t someone model this data in such a way that each organization can enter in their environmental attributes, adjust the risk levels as per their individual thresholds, and have it calculate a financial risk or exposure of each system, department, or enterprise?

It’s the future and it’s happening faster than we think.

Share
Categories: Risk Management Tags: , , , , , , , ,

Becoming Fearless: Deweaponizing Permanence

December 13th, 2009 No comments

(Re-post of an item written in June 2007)

The mind offers protectionism against our fears, but this can sometimes lead to stagnation. It’s not a voluntary act, but more a learned experience. The government is an expert at this art. The information security community leverages it to impose their will on the masses. They even have a term for it: FUD – fear, uncertainty, and doubt.

But better than any social experiment, our mind is a master of illusion and perception augmentation. We can see this easily in the movies we watch. Anyone watching a scary movie knows the point at which fear enters the picture. The camera closes in on a character leaving the viewer unable to see anything but their face. This triggers a reaction in the viewers mind about the infinite number of things that could befall this character. Out mind is almost trained to enumerate the fearful possibilities and recite them to ourselves.

Left unchecked, this fear can be debilitating. In its best forms we call it complacency and in its worst we call it insanity. So we build structures against such fear. We arm ourselves with weapons such as hope, faith, and through the lives of our heroes. Some religious groups will literally say they are “putting on the full armor or god” in order to do battle with the devil, for which fear is a material or mental manifestation.

One of these protective structures is permanence. We believe… we must believe that some things are permanent, even if just in the short term. We believe that we will live past tomorrow, or else people would do erratic things and chaos would ensue. We believe that we will grow old, or else we would never prepare for something we call ‘retirement’. We believe that strangers on the street will not randomly attack us, or else we would quickly become a society of roaming fear mongers. Society works because fear is contained and fed to us in only small and predictable doses. Fear can sometimes even make one feel safe and provide a central theme to unite a group of people.

What would happen if there was ever a loss of our beliefs or a fracture of the permanence that we so carefully rely on? Some might argue that chaos would follow and thus the argument for keeping people feeling safe and secure. But what about those things that cannot be controlled? The smaller things, that based on their very nature, no government or society can contain?

Things like a relationship break up, death in the family, divorce, pain, solitude, shame? The list goes on and on. These are things that cannot be controlled and thus cannot offer permanence. These are the things that Reinhold Niebuhr thought of when he wrote the Serenity Prayer.

accept the things I cannot change,
have courage to change the things I can
and have the wisdom to know the difference

I couple this with the quote from Fight Club that says, “It’s only after we’ve lost everything that we’re free to do anything.” Fear exists within us all and it’s only when you free yourself of it that you can ever accomplish the things you imagine and desire. It’s only after you know, not just acknowledge, that some day things will change. You will no longer like chocolate, you will want children, you will learn that you always wanted to be something you were not, and then you will die.

It’s only after we confront our fears and take action that we can ever move beyond our current state of mind. It’s only after we step out into the abyss with our eyes wide open that we can ever evolve into something more than we currently are.

Oscar Levant is quoted as saying “there is a fine line between genius and insanity.” I do not believe this means that genius is close to insanity, but that insanity can remove the barriers in ones mind and enable them to see beyond their current static form and imagine the impossible.

My favorite quote is that “nothing is impossible, the impossible just takes longer.” To say this and believe it is one step closer to deweaponizing permanence, and for me one step closer towards happiness.

Share
Categories: Chaordic Thought Tags: , , , , , , , , ,