Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Perception management (sometimes called social engineering by hackers) is a powerful tool in attacking information systems, but most organizations don't seem to realize that is can also be a powerful tool in defending them. One of the areas that has been well studied in perception management is fear. In this month's article we look at the way people manage perception so as to generate or remove fear and discuss thinks you can do to keep fear in its proper perspective.

Fear - a good thing - and a bad thing:

Fear is a good thing. Without fear of death, people might jump over cliffs for the fun of it (well, they do that, but with a parachute or a bungee cord), drive cars too fast (all right, they do that too, but usually with seat belts and other safety equipment), or smoke cigarettes. Maybe that's not a real good example - but you get the general idea. Fear acts to limit what people do.

Of course people don't always perceive fear in line with empirical (i.e., historical) data. For example, many people are afraid of nuclear bombs, even though no nuclear bomb used in anger has killed anyone in more than 50 years. Maybe that's not a good example either. But the point is, people built bomb shelters in or near their homes for many years so that in case there was a nuclear war, they would have a shelter. Of course no such shelter would have a chance of protecting you if there was really an all-out nuclear war - if only because you would eventually have to come out and it would still not be safe. So fear can also cause people to do things that they would not otherwise do.

In the field of computer security, fear plays an important role. It is, after all, fear of bad consequences that causes us to implement security. We might call it risk management, but it is actually fear that underlies the notion of risk. Similarly, it is fear of bad consequences that often causes us to not use the controls we have available to us. For example, if a project has to be done by a deadline, it is common for people to ignore security in order to get the job done. Of course, once the job got done with no bad consequences, the fear that drives security goes down and there is a tendency to leave security off because it is more efficient to work that way. (i.e., without a net)

If we could only learn to properly harness fear, it could be one of our most powerful tools.

Four methods for generating fear:

There is madness in my method - or something like that. It turns out that there are four things that are powerful motivators in driving fear.

1) Rare cataclysmic losses are more frightening than commonplace lesser losses.

2) Things out of your control are more frightening than things within your control.

3) Things that are familiar are less frightening than unfamiliar things.

4) Things you need are less frightening than things you don't need.

Some examples might help make this more solid. Computer viruses are now commonplace, so even though there are more than 10,000 of them and they regularly cause significant losses, we don't fear them very much because we see them every day and we manage them. That's a combination of numbers 1 and 3 with a little bit of 2 thrown in.

On the other hand, most people who deal with computers were somewhat concerned about SYN flood attacks when they first appeared. They were rare and caused, in essence, total loss of Internet services. If you were in a company that survived by using the Internet, fear would run rather high. They were also unfamiliar. The fear was somewhat limited if you needed Internet services because one way or the other, you couldn't hide from the potential for harm. In this case, fight/flight response caused some to delay entry into the Internet and others to struggled hard to find a defense against the attack.

Over time, people adjust to almost anything that doesn't kill them. As a result, SYN floods no longer cause a lot of fear. We have learned how to cope with it because it has been used enough that it is no longer unknown. I say we, but many people have not yet experienced a SYN flood, and when they first encounter it, they will likely have some fear. But when they call their Internet Service Provider (ISP) for help, their ISP will have dealt with this before and have no real difficulty in tracing the source down and eliminating it from their network.

Using fear to attack:

Many attackers use fear to get past security. Classic examples include convincing an employee that there will be in some kind of trouble if they don't let the attacker into the building, give them a password, tell them the phone number, or some such thing. Try: "If I don't have the number, I can't fix the dial-in line, and that means we won't be able to do backups." Another well-used one is "Now look, my boss, the new VP of marketing, is starting a road trip tomorrow and he needs to have remote access to the marketing databases. You send me everything needed to get remote access from his hotel room today and have it next day delivered to..."

Fear can also be exploited in subtle and indirect ways. For example, many diversionary tactics are fear-based. Start a fire in one area and during the evacuation, enter another area and do your worst. Fear becomes worse when cataclysmic losses, unfamiliar things, and loss of control are involved. Therefore bomb scares tend to work better in many environments than real fires. It's also easier to scare people away from things they think are less important, scaring people in a remote site is likely to be more successful than in a critical central facility.

Countering and using the four fear generators:

If you know what causes fear, you can often use that knowledge to your advantage as a defender as well. By turning the four fear generators around, we can find ways to reduce the impact of perception management.

1) Since rare cataclysmic losses are more frightening, simulated rare events tends to reduce fear and make countermeasures more effective. Fire drills are a simple example, and other sorts of disaster drills can help reduce the fear associated with rare and cataclysmic results.

2) The control issue can also be addressed both with practice and by giving people more control over how they react. Computer security commonly takes full control of user systems for security reasons, but a strategy that works surprisingly well is to empower users to defend themselves.

3) Fear of the unfamiliar can be mitigated by making people more familiar with information security issues. As part of your awareness program, you might try to take employees on a tour and show them some of the controls you use and how they work. Show them how you block network traffic in response to a SYN flood attack and instead of being afraid to call you, they will rush to your door.

4) The organization's needs should be clearly spelled out so that employees know what's important and can act to protect it with greater caution and concern. If passwords and remote access devices are known to be very important security controls, the "VP of marketing" line will yield a far more prudent response.

While countering fear helps defend against attackers exploiting fear, fear has also been used to improve security response. For example, some organizations use fear to keep people from breaking security rules. I have seen examples where cases of spies being caught and punished constituted the large part of a security briefing. The idea seemed to be that fear of punishment and disgrace would be an effective deterrent against espionage. This offended me a bit and my personal view is that we should avoid using fear to keep our employees in line.

The best counter to fear is a combination of the truth and the repeated exposure to the thing people fear in a non-threatening mode of operation. No VP of marketing in my organization would ask to have an emergency delivery of secure network access devices to a hotel room on the basis if fear. It wouldn't work because nobody in my organization fears a VP of marketing, much less their assistant.

Fear for sale:

Of course the number one source of fear in the information security field has to be vendors. We all know that fear is one of the things that sells security. Fear of bad consequences is logical and reasonable, but it's an easy matter to change legitimate concern into paranoia, especially when a knowledgeable sales person has as their victim a less knowledgeable customer.

If you watch closely, you can catch the fear tactics in most network security sales pitches, but I'll give you a few examples to help you along the way.

1) Rare cataclysmic losses are more frightening than commonplace lesser losses.

A recent IBM commercial is a classic. It depicts a provider whose server has reached its limit of expandability. In the end, when asked what to do, his only response is "lock the door". Now I have never seen a single case of an Internet service that could not be expanded with relative ease, but the notion of being out of business is enough to scare people into buying from IBM which promisses that you will always be able to expand.

2) Things out of your control are more frightening than things within your control.

Nature is a common enemy in this sort of fear tactic. You might see someone drenched in a hurricane or caught in some other natural disaster, with a title along the lines of "when disaster strikes, ...". The point is that nobody can stop nature, so you had better be prepared when it happens. Unfortunately, nature is not all that scarry to mosty people because it is so familiar.

3) Things that are familiar are less frightening than unfamiliar things.

The most common example of this in security is the depiction of someone breaking into your business at night, perhaps stealing your critical client list. The notion is that what a mystery person does in the middle of the night is more scarry than what an employee does in broad daylight. Of course statistics show that insiders cause 80% of losses in computer-related crimes, but it's hard to be scared into buying.

4) Things you need are less frightening than things you don't need.

I rarely see people these days creating fear to generate sales by claiming that you should use their alternative network instead of the Internet. If they did, it would not really work. Even though the Internet is indeed a very risky environment, you can't sell that fear because people believe that they need the Internet in order to do business. No matter how much fear you try to generate about the Internet, it will not scare the users in to your alternative. Instead, fear of the Internet is used to get you to buy a firewall or some other technology that can help to mitigate Internet risk to some small degree.

The best countermeasure to the fear tactics of so many salepeople is, again, a combination of the truth and repeated exposure.

Summary and conclusions:

"The only thing to fear is fear itself."

By now, you have heard my description so many times that you are probably used to it. You have now heard that fear tactics can be countered, you are familiar with some of these tactics, and as a result, you may no longer fear these fear tactics. Unfortunately, you probably need to have a healthy fear of fear in order to be effective at your job of eliminating fear as a factor in your network security program. So I should leave you with one small fearful thing to think about. Here it is.

Why do you think I would want to get you less worried about fear as an attack tool?

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net.