A bloke in a pub

Calling out Security Woo-Woo

Cyber Replication

Psychology has had a so-called replication movement for some time. It was started as a result of some particularly “out-there” claims. For example, that nudges could leak out of the future and affect people’s behaviour in the present. You can see the kind of thinking behind the movement in Stuart Ritchie’s book ‘Science Fictions’. The aim was to clean up the evidence base, and establish processes that would ensure the reliability of published results going forward.

There’s a strong argument that cyber needs its own version of the replication movement, because the core of the practice amounts to not much more than folklore. Stuff repeated by word of mouth.

A degree of hype is to be expected. But what’s happening goes far beyond hype. There’s no critical thinking. When a company suffers problems after a security incident, it’s automatically assumed that the security incident must have been to blame. This is what’s called ‘superstitious thinking’. Two events happen close to each other, so one must have caused the other. When an incident is declared, there’s no thought given to placing the impact into any sort of context, such as comparing it to recent non-cyber incidents. In most cases, the statistics underlying cyber incidents are simply ignored.

The management of cyber within an organisation needs to be owned by the management team, if it’s going to work. Security is too important to be left to the security team.

This Website

Depending on interest, I’ll open up the ‘.org’ version for email. So if a bloke in a pub tells you that computer crime will amount to $24Tn in a couple of years, mail it in, and I’ll do my best to check whether or not that’s backed up by the available evidence. On that one specifically, in order to avoid unnecessary anxiety waiting for the answer: it won’t.

Or if some bloke in a pub tells you that Travelex went broke because of a ransomware attack, do mail it in. If you’re feeling particularly anxious about that one, go to their web site (https://www.travelex.co.uk) and have a look to see if they are in fact, still in business.

For the moment, I’ve switched off comments, registration etc. – this is meant to be a read-only site. If you’ve got any strong feelings either way about the idea, post them via LinkedIn (which is almost certainly the route you took to get here in the first place).

If it all kicks off, I might even cover the financial impact on companies when they conform to GDPR, and the pointlessness of ‘notice and choice’ mechanisms (such as the one I felt compelled to add to this web site).

Full Disclosure

To date, these posts have been made up of expansions of points made in my book (“The Business of Cyber”), interspersed with material from new research.

Obviously there’s a limit to the material I can post based on the arguments in the book (for one thing, the publisher knows where I live), so if you have an idea for an area to be examined, please DM me on LinkedIn.

No posts were found.