What is FUD, and why is it so prevalent in cyber security?

Thursday, 28 November, 2024

“Don’t Panic” sticker, stuck on a graffiti covered surface

“Everyone, deep in their hearts, is waiting for the end of the world to come.”Haruki Murakami, 1Q84

FUD is natural, but that doesn’t mean it’s beneficial or rational

Humans are, knowingly or not, obsessed with catastrophe.

As a species we take losses much more seriously than gains. In the 1970s, economists Daniel Kahneman and Amos Tversky developed prospect theory which evaluated how people react to prospective gains and losses. Their 1992 paper “Advances in prospect theory: Cumulative representation of uncertainty.” suggests that, for many people, the pain of losing some amount of money can only be compensated by the pleasure of winning double that amount of money.

When we talk about fear, uncertainty and doubt (FUD), we mean the obsessive, unmeasured and panicked focus on catastrophe and the poor organisational practices that result from it. (There’s also a lot of it in marketing from certain vendors – Ed)

This is a phenomenon particularly prevalent when discussing cyber security. This can come from a world where, for example, major cyber incidents make headlines on a weekly or monthly basis. Cyber security is also an expanding field with emergent elements. At times, it can feel unknowable. It’s no wonder many feel helpless.

It is true that threats are evolving as technology and the way we use it changes. Equally true is that you and your organisation have things you should be protecting to ensure your success. Understanding cyber security controls as business-enabling investments, rather than understanding them as a shield against an unstoppable flood of digital doomsday events, is the first step to having a mature cyber security posture.

FUD is not the same as caution

FUD is not the same thing as having a cautious approach to cyber security risk or having a low organisational risk appetite. In fact, a cautious quantitative approach to cyber security risk, mindful of an enterprise’s entire risk profile, will happen in spite of FUD rather than because of it. This is because effective understanding of a risk profile requires sober measurement and assessment which panic and pessimism can easily disrupt.

Things can go wrong, but equally things can go right. That’s why it’s important to protect what is key to your organisational objectives. Cyber security can and should enable your enterprise. A proactive, quantitative approach to cyber security risk which avoids FUD can support a pragmatic approach to risk rather than hindering it.

FUD is prevalent in cyber security

As mentioned earlier, many people are more sensitive to potential downsides than potential upsides. This means they can be more likely to focus on and ruminate over what can go wrong.

Some level of risk aversion is a good thing and sensible, because everyone has things they want to protect from bad outcomes. However, unbounded risk aversion and panic poses a barrier to effective decision making.

Sensationalism sells. Bad news gets more clicks. Marketing tactics security companies use may also overplay negatives to scare you into buying their product or service. All these contribute to a culture of FUD around cyber security.

A poor grasp of likelihood, measurement and what ‘uncertainty’ means can exacerbate this issue. People’s intuitions around probability and uncertainty are generally poor, especially without specialist training. We each have cognitive biases that play a strong but unseen role in our thinking. A thought pattern might go along the lines of: It is uncertain if and when this event might happen. We can’t make a measurement with any precision, so why should we bother?

FUD then sets in.

FUD hinders effective decision making

Constant fear-mongering can desensitise people to negative events. In turn they may be less responsive to genuine risks.

A culture of FUD can lead organisations to simply sidestep the issue of cyber security risk to focus on organisational priorities where they feel they have more agency and control. FUD can also make individuals and organisations feel overwhelmed and lead to inaction rather than proactive protection.

FUD can foster an atmosphere of fear and negativity within security teams, impacting morale and overall effectiveness.

Empower people with a positive approach

Taking a positive approach begins by emphasising what can be done to improve security, not just dwelling on the threats. There are proactive steps and available protections to suit your organisational needs, risk appetite and budget.

Rather than a narrative of fear of attacks, fostering cyber resilience across individuals and organisations can enable improvements across the sector.

How to move away from FUD

FUD is natural, but like many natural things, it can be very dangerous. The sense of helplessness can mean worse decision making and poorer understanding of true risks.

If you want to move beyond a culture of FUD, you can start by:

  1. Know what you have and what is important to you
  2. Think of cyber security as a business enabler
  3. Understand who in your organisation feels (or spreads) FUD and why

Cydea is here to help. We begin by understanding what’s important to your organisation and building out bespoke cyber risk programmes from those principles. If you’d prefer to get started yourself, you can check out our Risk Platform to elevate your security programme.

Photo by Stephen Harlen