I saw an article in The Atlantic reporting that cybercrime reports contain staggering amounts of upward bias. More coverage at CNET here and the New York Times here (firstborn may be required, but this is probably best content of the lot). Although the methods used to come to this conclusion involve statistical analysis, I think this is a major problem in the field of information security, and it certainly isn’t unique in that field. While the stated purpose of the defenders of the network is to, well, defend the network, there is also the secondary purpose of justifying their own existence, and often securing scarce resources. And let’s face it, cybersecurity incidents can be stealthy, especially when data loss is the primary outcome. But when the value of cybercrime is estimated to be one trillion dollars, many times greater in value than the drug market, it really doesn’t seem to pass the sniff test.
I’ve got a business card-sized cheat sheet from a Carnegie Mellon CERT course I took several years back; it’s the CERT Coordination Center’s Elements of a Code of Conduct. Sandwiched in amongst a lot of good advice, are some gems like “state the facts”, “be truthful”, and “avoid shock tactics.” Good advice, all. Credibility is the currency of the defender of the network; we should spend it wisely.