28 days of awareness: day 20

As you might expect, we use security metrics extensively to illustrate, and support the awareness materials. We exploit data, graphs and statistics from recent reports, advisories, surveys and other information sources published on the Web*. It's not always easy to find credible information however, since quite a lot of stuff out there is either pure marketing tripe or is so badly described and presented that it is unsuitable.

Look at this Bitdefender graph for example:

I've included the preceding paragraph and legend in the clip to point out the complete lack of values on the Y-axis, while the X-axis doesn't actually state the years (given the date of the blog piece, I think it covers September 2014 to March 2015). I guess from the evenly spaced horizontal lines that the Y axis is linear, and I hope the X axis crosses the Y axis at the zero point, in which case it appears ransomware jumped up from about 1.3 to about 9.3 unspecified units from January to February, while "banker" (bank Trojans?) increased from 1 to 3 units in the same period. What use is all that? Not a lot! Ransomware increased on some parameter (does "overall numbers" mean the number of infections? Number of families or variants? Size of payload? Height above sea-level?!) at three times the rate that bank Trojans increased, for no obvious reason in February. Far too much guesswork there without additional information. If we were unethical or naive, we might simply use this graph in the awareness materials to demonstrate "a huge spike in ransomware infections in February", a scare tactic known as FUD (Fear, Uncertainty and Doubt). We aren't ... so we'll carry on searching for better metrics.

It's not as easy as you might think to find reliable data, sound statistics and (ideally) nice graphics in the information risk and security world. Mostly we see the same stuff spread all over the Web like a nasty rash, often (arguably) misinterpreted and misrepresented. In the apparent absense of anything better, almost any number will do for some - such as this vague journalism from CNN:

The $209m first quarter estimate is lame enough (How was that determined? What costs does it include and exclude? How much of the world does it cover? How reliable is the figure? Who estimated it? Was it actually produced by someone from the FBI - if so who, why and how?).  To then project an annual figure for 2016 by multiplying the Q1 number nearly five times is an insult to our intelligence, on a par with the most outrageous fake news. For the marketers and other FUD-merchants, $1 billion is nice round eminently quotable figure, while its (alleged but untraceable) association with the FBI gives it still more impact. And so, as the number is bandied about willy-nilly, the original source becoming ever more distant and obscure, fiction becomes fact.

Hopefully our customers have their own corporate metrics and other information sources to supplement or replace those we provide in the awareness materials. It is more relevant, more eye-catching and hopefully more motivational to say "We saw a 3-fold increase in ransomware attacks last month" than "Statistics from an antivirus company indicate a 3-fold increase in ransomware numbers in February". Better yet, "We are experiencing a spike in infections with three times the normal number of ransomware attacks on us last month, including an unfortunate incident in the XYZ Department that cost $XX,000. Our CEO says ransomware must be brought under control, and quick"!

* In case you're wondering, we either seek explicit permission from the copyright owner or limit ourselves to using small/insignificant parts for educational purposes under the 'fair use' provisions of copyright law. We always cite and/or link to the original sources so that interested readers can check the context and read more - it's a common courtesy. If you make use of the content on this blog or our other websites, please reciprocate.