Whether in the IT world or the real world, “experts” frequently inflate their claims rather than double-checking their facts.
For instance, it is common knowledge that there are many Eskimo words for “snow.” Some references say there are dozens of different words; others say there are hundreds. These estimates are all wrong.
Geoffrey Pullum, in his book The Great Eskimo Vocabulary Hoax, notes that the estimates are greatly inflated, and gives a quick way to respond to people who will argue this point with you: “C. W. Schultz-Lorentzen’s Dictionary of the West Greenlandic Eskimo Language (1927) gives just two possibly relevant roots: qanik, meaning ‘snow in the air,’ and aput, meaning ‘snow on the ground.'” He suggests that you then challenge your verbal adversary to provide a list of any others that they can think of.
Only careless scholarship, Pullum claims, has propagated the myth of dozens or hundreds of Eskimo words for snow. Aggressive fact-checking, he says, would put an end to the myth.
Learning a Thing or Two
The information security industry might learn a thing or two from Pullum’s book.
If you listen to vendor pitches at security trade shows, you will hear dire claims: Businesses are unintentionally leaking billions of dollars of information each day, and the business world is a house of cards waiting to be toppled by losses from security breaches. Security vendors cite research from respected industry analysts to back their claims — so they very well might be right. The underlying message: Unless you buy their products, terrible things will probably happen.
Curiously enough, this same horrific scenario has been repeated at security trade shows, yet businesses rarely — if ever — fail due to information security concerns.
Reducing costs and staying competitive is more important to the typical business executive than information security, and not addressing these concerns is indeed the cause of many failures. These real concerns seem to occupy most of the attention of management, and rightly so.
After attending a few information security trade shows, you might be inclined to discount most of the vendor pitches as little more than hyperbole. Are they really checking their facts? Or are they telling us that there are hundreds of words for “snow” in Eskimo?
According to conventional wisdom, insiders cause 70 to 80 percent of IT security incidents. The exact number may be disputed, but the basic premise is rarely challenged. On the other hand, these estimates aren’t supported by the 2005 Computer Security Institute (CSI)/FBI Computer Crime and Security Survey, which provides historical data on inside versus outside security incidents from 1999 through 2005. This is important information for those considering an investment in technology that manages insider threats.
The cost of managing passwords is another example of widely cited data that may be inaccurate. Citing a variety of sources, some vendors say it costs US$110 per user per year to reset passwords. Other vendors’ estimates are over twice that high — more than $300 per user annually.
Still, many vendors haven’t paid to acquire and read the actual studies they’re citing. You might want to check with your own in-house help desk group for their estimates on the cost of password management before deciding to invest in and deploy a solution based on the business case made by vendors’ estimates. Most businesses will likely find that actual costs for password management are much lower than the figures that vendors of these products cite.
Ensuring Solid Investments
In fact, the 2006 CSI/FBI report estimates that the expense of supporting all deployed information security technologies for large firms is roughly $142 per user annually. Thus, if the cost of managing passwords is actually $110 of this $142, we would expect to see over three quarters of effort spent by information security departments on password management alone — a situation rarely seen in the real world. In this light, the estimate of $300 per user per year looks even more suspicious, doesn’t it?
Information security is a vital part of a successful business, but making decisions based upon inaccurate or unverified data (or claims from a less than reputable source) is not a good way to ensure solid investment in technologies that will address the significant real-world risks.
Some of the folklore around the cost of information security may be based upon data that is difficult to substantiate, but data from knowledgeable analysts and trusted research firms are probably quite accurate and reliable. Make sure you know which type of data you are using to justify your information security investments.
Luther Martin is chief security architect at Palo Alto, Calif.-based Voltage Security. He is the author of the Internet Engineering Task Force draft standards on identity-based encryption algorithms and their use in encrypted e-mail, and is a frequent author in the areas of information security, risk management and project management. His interests include pairing-based cryptography, business applications of information security and risk management. He can be reached at email@example.com.