Privacy and Security
FUD: A Plea for
Relying on dubious claims can cause researchers to focus on the wrong
questions and organizations to misdirect security spending.
EVEN A CASUAL observer of computer security must no- tice the prevalence of FUD: non-falsifiable claims that promote fear, uncertainty, or
doubt (FUD). We are bombarded with
warnings of digital Pearl Harbors, the
unstoppability of online hackers, and
accounts of a cyber-crime problem that
is said to rival the drug trade.
FUD sometimes masquerades as
useful information though it is often
“not even wrong,” in the sense of making no clear claim that can be checked:
exact figures for undefined quantities, dollar estimates based on absurd
methodology, and astonishing facts
that are traceable to no accountable
source. FUD provides a steady stream
of factoids (for example, the raw number of malware samples, activity on
underground markets, or the number
of users who will hand over their password for a bar of chocolate) the effect
of which is to persuade us that things
are bad and constantly getting worse.
While the exaggeration of threats hardly began with computer security, the
field has certainly made FUD its own.
It may seem innocent enough to exaggerate in the service of getting people
to take security more seriously; but we
believe reliance on factoids leads government and industry to spend wastefully and researchers to focus on the
wrong questions. The scale of the FUD
problem is enormous, and we argue it
prevents the establishment of security
as a more scientific research discipline.
What’s Wrong with
an Illustrative Story?
Offering information that is dubious,
false, or vague creates avoidable confusion. Through creating the illusion that
we understand when we do not and by
injecting false facts, FUD oversimpli-fies complex questions, hindering our
ability to grasp things that might actually be simple.
FUD makes it more difficult to form
a coherent picture of the world. While
the number of malware samples seems
interesting, it says nothing about the
success of that malware at infecting
systems. Happenings on underground
markets are certainly interesting, but
activity does not translate into dollars
at any fixed rate. Do we know if the
passwords that people trade for choco-
late are real or made up? These details
matter, and their absence hinders un-
derstanding. Much FUD comes in the
form of factoids, which, of course, can
be inconsistent, both with each other
and with what else we know of the
world. Who exactly lost a trillion dol-
lars? Where are all the cybercrime bil-