Anxiety is something we all deal with on a daily basis. It is a feature of the human operating system. Maybe it’s that mounting pile of bills, or an upcoming doctor’s appointment, or a visit from your in-laws, or a big deadline at work. It could be anything but the anxiety triggers our fight or flight mechanisms, causes stress, and takes a severe toll over time on our health and well being. Culturally I come from a long line of worriers. Neuroses are just something we get used to, because everyone I know has them (including me) – some are just more vocal about it than others.

Easier said than done, but very very important...

I think every generation thinks they have it tougher than the previous. But this isn’t a new problem. It’s the same old story, although things do happen faster now and bad news travels instantaneously. I stumbled across a review of a 1934 book called You Can Master Life, which put everything into context. If you recall, 1934 was a pretty stressful time in the US. There was this little thing called the Great Depression, and it screwed some folks up. I recently learned my great-grandfather lost the bank he owned at the time, so I can only imagine the strain he was under.

The book presents a worry table, which distinguishes between justified and unjustified worries and then systematically reasons why you don’t need to worry about most things. For instance it seems this fellow worried about 40% of the time about disasters that never happened, and another 30% about past actions that he couldn’t change. Right there, 70% of his worry had no basis in reality. When he was done he had figured out how to eliminate 92% of his unjustified fears. So what’s the secret to defeating anxiety?

What, of this man, is the first step in the conquest of anxiety? It is to limit his worrying to the few perils in his fifth group. This simple act will eliminate 92% of his fears. Or, to figure the matter differently, it will leave him free from worry 92% of the time.

Of course that assumes you have rational control over what you worry about. And who can really do that? I guess what works best for me is to look at it in terms of control. If I control it then I can and should worry. If I don’t I shouldn’t. Is NSA surveillance (which Adrian and I discuss below) concerning? Yes. Can I really do anything about it – beyond stamping my feet and blasting the echo chamber with all sorts of negativity? Nope. I only control my own efforts and integrity. Worrying about what other folks do, or don’t do, doesn’t help my situation. It just makes me cranky.

They say Wall Street climbs a wall of worry, and that’s fine. If you spend your time climbing a similar wall of worry you may achieve things, but it will be at great cost. Not just to you but to those around you. Take it from me – I know all about it.

To be clear, this is fine tuning stuff. I would not ever minimize the severity of a medical anxiety disorder. Unfortunately I have some experience with that as well, and folks who cannot control their anxiety need professional help. My point is that for those of us who just seem to find things to worry about, a slightly different attitude and focus on things you can control can do wonders to relieve some of that anxiety and make your day a bit better.


Photo credit: “Stop worrying about pleasing others so much, and do more of what makes you happy.” originally uploaded by Live Life Happy

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

API Gateways

Security Analytics with Big Data

Network-based Malware Detection 2.0

Quick Wins with Website Protection Services

Newly Published Papers

Incite 4 U

  1. Snowing the NSA: Once again security (and/or monitoring) is front and center in the media this week. This time it’s the leak that the NSA has been monitoring social media and webmail traffic for years. Perhaps under the auspices of a secret court, and perhaps not. I believe Rob Graham’s assessment that the vast majority of intelligence personnel bend over backward to protect citizen’s rights. But it is still shocking to grasp the depth of our surveillance state. Still, as I mentioned above, I try not to worry about things I can’t control. So how did Edward Snowden pull off the leak? The NY Times has a great article about the gyrations required by reporters over a 6-month period to get the story. A Rubik’s Cube? Really? Snowden came clean, but they would have found him eventually – we always leave a trail. Another interesting link regarding the situation is how someone social engineered the hotel where Snowden was staying to get his room number and determine that he already checked out. If you want to be anonymous, probably beter not to use your real name, eh? – MR
  2. Present Tense: As someone who has been blogging on privacy for almost a decade, I am surprised by how vigorous public reaction has been to spying on US citizens via telecom carriers. When Congress and the senate granted immunity to telecoms for spying on users back in 2008, was it not obvious that Corporate entities are now the third party data harvester, and government entities act as the aggregator? Perhaps the mortgage fiasco and the crash of the stock market had most people distracted, but only a year earlier a Greek telecom engineer was found hung in his apartment, which lead to the discovery of a massive spying operation, much of it targeted at Greek government officials. What’s unsurprising is that politicians and their helpers are now spinning Ed Snowden as an anti-hero – trying to distract from the issue by discrediting the source. You gotta love politics! These shenanigans have been going on for a very long time, so it’s good to finally see people getting mad enough to do something about it. We still have yet to see whether this causes a lasting backlash, or provides a real disincentive for companies to stop spying for governments. – AL
  3. Best. Show. Ever: Okay, I won’t even try to support that statement, but Black Hat has started releasing session information, and the lineup looks very impressive. (Full disclosure: I am teaching the cloud security class). The scheduled keynote is General Alexander, the head of the NSA – hopefully the powers that be will still let him show. If you look at the full lineup one of the biggest changes is a dramatic increase in the quality of defensive security talks. Which pisses me off because mine didn’t make it. Black Hat is where I go every year to challenge myself and learn. Even if you are more of a management type, BH is essential for reminding you how security technology matters – the challenge is learning how that technology impacts your business. The conference itself is evolving in ways I think provide more value to enterprise security pros, but not at the expense of the core culture of the event. The culture has evolved, but that’s life. Put it on your calendar, and we’ll see you there. – RM
  4. The Wrath of Khan for Security Training: In almost every meeting I have with senior security folks, the challenge of staffing comes up. It is very hard to find and retain good security practitioners. We clearly need to train more, but professional development/security training may be too expensive to really solve the problem. So what to do? Some folks are starting up the OpenSecurityTraining initiative to get security folks to pay it forward a little, and build some online training materials for security. I think it’s a good idea – they hope to apply the Khan Academy type of user experience to make it more applicable to a broader market. Or maybe we need to extend models like CodeAcademy to get kids interested in security. Either way, we need to address the problem – the skills gap isn’t going away. – MR
  5. Right Conversation, Wrong Audience: In Security > 140: A conversation with Gerry Gebel on XACML and ABAC, Gunnar talks with one of the more knowledgeable people in the industry about XACML and cloud authorization. And as Gunnar tends to do, he asks the critical questions that developers – you know, the people who have to implement this stuff – care about. The conversation is very interesting. Just one teeny issue: the development group is not the buyer – IT ops has the budget and the lion’s share of actual requirements when it comes time to buy identity and authorization products. IAM is still viewed as infrastructure, not application enablement, and that is the fundamental problem. Or at least one fundamental problem. – AL
  6. Active Defense: While the echo chamber (and the Wall St. Journal) debate the ethics of hacking back, Microsoft ran out, partnered with law enforcement and financial services organizations, and took down a big chunk of the Citadel botnet. This is impressive work, and the kind of partnership we usually only hear about from ignored government documents. It is also hard, thankless work. The infected users rarely know what happened, even after the fact. Microsoft spends a ton of time (and money) navigating the byzantine legal landscape. But in the end it is all for the greater good, and much appreciated by us who follow these things. If you seriously want to go after the bad guys this is the way to do it. – RM
  7. Don’t believe everything you read on the Internet: In the latest threat research mea culpa, the folks at McAfee admitted their recent statements about a resurgence of Koobface were a bit exaggerated. That polymorphic thing confuses the folks who count infections too, I guess. Anyway, in an age where page views rank supreme and editorial power is measured in SEO rather than good journalism (though Glenn Greenwald reminded us this week of how important real investigative journalism is…), media companies post first and check facts later… if at all. So your best bet is to wait until the dust settles for a least a couple days before you update the FUD statistics in your board presentation. – MR