Misleading Metrics
James Bore
I make compliance a painless outcome of good bespoke processes instead of a storming headache of artificial cookie-cutter targets.
The misuse of statistics for marketing is a bugbear of mine.
I've posted about invented numbers and how to spot them before, and doubtless will again, but this morning I was sent a white paper which annoyed me.
The two key highlights from the report, which appears to be a marketing effort to sell security consultancy (hey, I get it, I like to sell security consultancy too - being able to eat and have a roof over my and my people's heads is one of my favourite things) are about the link between revenue and cyber security. To quote:
Alarming! Clearly, doing better at cyber security (UK spelling has a space, I get more nitpicky about this every time someone throws a tantrum about something so inconsequential) makes you better at business.
In fact the report reinforces this by talking about how these successful businesses are not only more mature in their security, but more likely to see security as a business enabler. Who wouldn't draw the conclusion that investing in security maturity is the key to success?
Correlation != Causation
I'll give the AT&T white paper points for never using the word causation, even if the language and framing strongly hints that way. They state that there's a correlation, but never use the word causation. Unfortunately while the data and findings are presented fairly, there's a passage in the exec summary which I take issue with:
The goal of the research was to validate if, and to what degree, organizations more in alignment with best practices prescribed by the NIST CSF can help to operate more secure environments and better enable their businesses. - AT&T Business, The Relationship Between Security Maturity and Business Enablement
There is absolutely no relationship between the stated goal, and the outcome of the research. Yes, they've established correlation, but they have not established that the NIST CSF lead to more secure environments, or that more secure environments better enable their business.
Let me put forward an alternate hypothesis. From much later in the report, where people may or may not read to (most readers of white papers don't get past the exec summary, statistically speaking, it's why they exist):
The research points to a relationship between business success and cybersecurity acumen. This connection is likely anchored by trust, communication, and collaboration between people—managers and staff from lines of business (LOB) and cybersecurity teams. - AT&T Business, The Relationship Between Security Maturity and Business Enablement
Could it, just maybe, be that more mature businesses with better trust, communication, and collaboration between different business areas are inherently more successful in terms of revenue targets (or, for a more cynical take, more realistic about their revenue targets - as these were declared by the businesses) and that being more mature in cyber security by the carefully chosen criteria is an outcome of that?
It's a pity that this research has been promoted this way, because if the link between overall business culture and security maturity were actually explored I can see interesting questions coming out of it about the way cyber security is approached and marketed.
Sadly, a lot of the time this research is mostly about marketing and doesn't delve deeper into the areas where it could make a real difference.
InfoSec Professional | Infrastructure Engineer | Tenacious Problem Solver | Manager | Mentor | Geek.
1 年I know it's not exactly the point you were getting at, but impressive-sounding bogus statistics infuriate me to a degree where my partner will change TV channels rather than have me yelling impotently at L'Oreal adverts. There used to be a safety poster on a bus stop near where I worked, "2 out of 5 thefts from cars happen to unlocked vehicles." Well, damn, 3 out of 5 thefts are from locked cars, I'm leaving mine unlocked in future. There was an ad on telly the other day, something along the lines of "removes up to 100% of stains." Could there be a more nonsense claim? "Up to" does the heavy lifting in a lot of marketing of course. "SALE: UP TO 30% OFF!" could mean that everything is full price, all the ad is saying is that whatever saving you may make it will never be more than 30%. I could claim that putting my keys in my pocket removes 'up to' 100% of stains and I'd be correct; the actual figure is zero but it meets the criterion. But here, "up to 100%" - well, as opposed to what? Does a competing product remove 120% of stains? My new stain remover removes up to 1,000% of stains, I'm going to be rich! It is abject nonsense and we actually pay people to come up with this tripe.
Maker, Breaker, Fixer, Faker. Focusing on making the world a safer place
1 年As always, excellently put.
Criminologist (Cybercrime/Fraud)
1 年Very enjoyable read. Another personal favorite of mine is when cybersecurity companies attempt to estimate the costs of cybercrime to society... as a means of introducing the narrative of fear as a marketing tool. I remember a report by McAfee in 2020 had a figure derived from actual losses (completely fine) and a very weird arbitrary "time lost in monetary terms/opportunity cost" estimated figure.
Advisor - ISO/IEC 27001 and 27701 Lead Implementer - Named security expert to follow on LinkedIn in 2024 - MCNA - MITRE ATT&CK - LinkedIn Top Voice 2020 in Technology - All my content is sponsored
1 年Thanks for sharing ! Yes, numbers are easily wrongly lifted, and this happens often.