Monday, October 03, 2011

October is Cybersecurity Awareness Month -- or is it?

Last year, the president declared October to be "Cybersecurity Awareness Month". But, October has already been Breast Cancer Awareness Month for the past 25 years.

So which is it? Cybersecurity or Breast Cancer?

The easy answer would be "both", but that's silly. Why not, then, make it "everything awareness month"? Indeed, why don't we make every month Everything Awareness Month.

This doesn't work because awareness is a tradeoff. Putting up posters about "cybersecurity" this month must detract from the other posters about "breast cancer". As you raise awareness of one, you necessarily decrease the awareness of the other.

This is idea of "tradeoffs" is especially important in the realm of cybersecurity, tradeoff between risk and reward. If we listened to just the Chicken Littles about the sky falling, then we'd turn of the computer, cut the wires, and bury it. That'll keep the hackers out. But it would also keep the customers out. There is a limit to security, after which point the cure becomes worse than the disease. Perfect security is not possible.

That's why "Cybersecurity Awareness Month" is a bad thing. The idea is based on fallacious thinking that there are no tradeoffs, that somehow an Everything Awareness Month could actually work. It teaches precisely the wrong lesson about cybersecurity, that there is no limit to the amount of awareness and fear.

1 in 8 women will get breast cancer in their lifetimes. I'm not aware of anybody dying to a cybersecurity fail. That makes me think breast cancer needs more awareness, which if you believe in tradeoffs, means cybersecurity needs less.

1 comment:

John L said...

October is Clergy Appreciation Month, you apostates.

http://www.parsonage.org/cam/