Incite 8/15/2012: Fear (of the Unknown)By Mike Rothman
FDR was right. We have nothing to fear, but fear itself. Of course, that doesn’t help much when you face the unknown and are scared. XX1 started middle school on Monday, so as you can imagine she was a bit anxious on Sunday night. The good news is that she made it through the first day. She even had a good attitude when her bus was over an hour late because of some issue at the high school. She could have walked the 3 miles home in a lot less time.
But when she was similarly anxious on Monday night, even after a successful first day, it was time for a little chat with Dad. She asked if I was scared when I started middle school. Uh, I can’t remember what I had for breakfast yesterday, so my odds of remembering an emotion from 30+ years ago are pretty small. But I did admit to having a little anxiety before a high-profile speech or meeting with folks who really know what they’re talking about. It’s basically fear of the unknown. You don’t know what’s going to happen, and that can be scary.
I found this quote when looking at Flickr for the image above, and I liked it:
Fear is a question: What are you afraid of, and why? Just as the seed of health is in illness, because illness contains information, your fears are a treasure house of self-knowledge if you explore them. ~ Marilyn Ferguson
Of course that’s a bit deep for a 11 (almost 12) year old, so I had to take a different approach. We chatted about a couple strategies to deal with the anxiety, not let it make her sick, and allow her to function – maybe even function a bit better with that anxiety-fueled edge. First we played the “What’s the worst that could happen?” game. So she gets lost. Or forgets the combination to her locker. Or isn’t friends with every single person in all her classes. We went through a couple things, and I kept asking, “What’s the worst thing that could happen?” That seemed to help, as she realized that whatever happens, it will be okay.
Then we moved on to “You’re not alone.” Remember, when you’re young and experiencing new feelings, you think you might be the only person in the world who feels that way. Turns out most of her friends were similarly anxious. Even the boys. Then we discussed the fact that whatever she’s dealing with will be over before she knows it. I reiterated that I get nervous sometimes before a big meeting. But then I remember that before I know it, it’ll be over. And sure enough it is.
We have heard from pretty much everyone that it takes kids about two weeks to adjust to the new reality of middle school. To get comfortable dealing with 7 teachers, in 7 different classrooms, with 7 different teaching styles. It takes a while to not be freaked out in the Phys Ed locker room, where they have to put on their gym uniforms. It may be a few weeks before she makes some new friends and finds a few folks she’s comfortable with. She knows about a third of the school from elementary school. But that’s still a lot of new people to meet.
Of course she’ll adjust and she’ll thrive. I have all the confidence in the world. That doesn’t make seeing her anxious any easier, just like it was difficult back when I helped her deal with mean people and setbacks and other challenges in elementary school. But those obstacles make us the people we become, and she will eventually look back at her anxiety and laugh. Most likely within a month. And it will be great.
At least for a few years until she goes off to high school. Then I’m sure the anxiety engine will kick into full gear again. Wash, rinse, repeat. That’s life, folks.
Photo credits: The Question of Fear originally uploaded by elycefeliz
We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
Endpoint Security Management Buyer’s Guide
Pragmatic WAF Management
Incite 4 U
Even foes can be friends: You’ve have to think the New School guys really enjoy reading reports of increased collaboration, even among serious competitors. Obviously some of the more mature (relative to security) industries have been using ISAC (Information Sharing and Analysis Center) groups for a long time. But now the folks at GA Tech are looking to build a better collaboration environment. Maybe they can help close the gap between the threat intelligence haves (with their own security research capabilities) and the have-nots (everyone else). With the Titan environment, getting access to specific malware samples should be easier. Of course folks still need to know what to do with that information, which remains a non-trivial issue. But as with OpenIOC, sharing more information about what malware does is a great thing. Just like in the playground sandbox: when we don’t share, we all lose. I guess we did learn almost everything we need to know back in kindergarten. – MR
Operational effectiveness: I have done dozens of panels, seminars, and security management round tables over the past 12 years, and the question of how security folks should present their value to peers and upper management has been a topic at most of them. I am always hot to participate in these panels because I fell into the trap of positioning security as a roadblock early in my career. I was “Dr. No” long before Mordac: Preventer of Information Services was conceived. I had to screw that up a couple (hundred) times, in a couple (hundred) different ways, before I fully understood how to position security to an executive management team without being the bad guy. When I read What Information Security Can Learn from Waiting Tables over at InfoSec Island, I was struck by how handy their first two bullets are for thinking about your security presentation style. Every year the CISOs and IT security teams make infinitesimal progress in this area, but the same basic issues come up. If you follow the “service first” approach, and present options rather than security dogma, you will go much further in your career – and perhaps even protect some stuff. Imagine that. – AL
Cyber-science fiction: Recently I have read two articles discussing the pure crap that goes into ‘cybercrime’ loss numbers. The first is a great piece in ProPublica ripping apart the $1 trillion in losses number which government officials love. The second is a smaller piece from a statistics website in New Zealand dealing with local misrepresentation of losses. When you do the research you see that none of these studies have any accurate basis for measuring losses. Crime losses in general are very tricky to calculate and often wrong. So various interest groups make up whatever numbers they think will promote their agenda (hello RIAA/MPAA). In our little world, these are typically vendor-driven ‘studies’, and sometimes they are off-hand quotes taken as gospel. Not all vendor surveys are bad, but I have never seen one with a loss number that’s good. We are fools if we allow our governments to make decisions based on this hand-waving. Never mind – they’ll do whatever the richest lobbyist tells them anyway. – RM
Prioritization based on exploit availability: As we wrote in Vulnerability Management Evolution, prioritizing efforts is probably the hardest but most important aspect of practicing security. The folks at Risk I/O are trying to provide a meta-view of all vulnerabilities and recently added the presence of an exploit as another way to prioritize importance. I think this is actually a useful metric, as a vulnerability without weaponized exploits presents a low risk. But it’s still not enough – I think attack path analysis is also critical for prioritization. Even if an exploit is available, if you have compensating controls in place to shield the device, that should be factored into the analysis. I don’t want to minimize anything that helps narrow the zillions of vulnerabilities down to the set you need to deal with. But we still have lots of work to do. – MR
Critical thinking on security advertisements: If you listen critically to advertisements on radio or TV, they only make sense if you put yourself into the shoes of the people selling the product. A “great deal” on a used car usually means it’s a great deal for the car salesman – not you. “Don’t miss out on this opportunity” means the salespeople are eager to make their quarterly numbers. A “great price” means the price they need to get at your wallet! It should be clear that “Hurry” and “Buy with confidence” are cues to prompt you to take action – not necessarily good advice. So when I see the FTC accused Facebook of misleading developers over security, I don’t agree. Facebook mislead Facebook users, not app developers. Did you read any of the many Facebook blog posts that said “Our Application Verification Program gives you an opportunity to demonstrate your commitment to providing trustworthy user experiences in your applications”. Did you catch that? Your commitment and your application? It was clear – to me at least – that Facebook was talking about the developer’s commitment. Facebook was the ad medium for the
carapplication. I was never clear on whether Facebook ever promised to uphold their policies, or if the policies were meant to be self-enforced “serving suggestions”. It’s deceptive, but in that sleight of hand way most products – security and otherwise – are sold. Think of it as a paid celebrity whoring a product – the developer rides Facebook’s popularity for a small fee. That’s the commitment they were talking about. – AL
Here’s to the cynical ones: I am a royal pain in the ass in product briefings. For example, not 10 minutes ago I told a client their presentation was incomprehensible and a steaming pile of gibberish (my exact words, I believe). But I always follow that with constructive advice, and I always provide this criticism from the perspective of a client or prospect, because it doesn’t really matter what I think personally unless I’m buying. Security seems to attract more cynics and skeptics than some other industries, and your marketing and messaging should account for that. Jack Daniels wrote a good post on this in the context of Security B-Sides conferences. The best way to break through prospect’s skeptical veneer is to actually engage with them. But even better than that, at the bottom he provides all the metrics you should be tracking if you scan badges at booths. That little list is gold, and if you use ‘leads’ as a metric but can’t answer those questions you are wasting all your conference dollars. – RM