Sunday, October 18, 2020

Warnings, alarms, and an aneurysm: the awareness juggling act (Cybersecurity Awareness Month, D18)

A vague and unhelpful warning, based on an image by Ingo Doerrie on Unsplash

One Friday evening, about 15 years ago, I arrived home from an out-of-town cybersecurity conference to find a letter from my cardiologist's office that simply said: "Aortic aneurysm detected, please call."

You're probably wondering what this has to do with Cybersecurity Awareness Month, and to be honest, it will take about half a dozen paragraphs for me to get to the connection, but please stick with me (we are now on Day 18 and it's a Sunday, so I'm feeling particularly reflective).

I don't know how familiar you are with human biology, but when I got that letter I was in my early fifties and less medically knowledgeable than I should have been, despite more than a decade of treatment for high blood pressure and being under the care of a cardiologist. My point is this: the words aortic aneurysm sounded deeply scary to me, but at the same time I didn't know what they meant.

My first thought was to call the cardiologist's office, but of course nobody was there because it was Friday evening, so I left a message to call me back ASAP, knowing that I probably wouldn't get a call any sooner than Monday. 

The next thing I did—as you can probably guess—was google aortic aneurysm. The results only added to me growing sense of dread, for example:

Aortic Aneurysms: The Silent Killer
Abdominal aortic aneurysms are the third leading cause of sudden death in men over age 60. Aneurysms are often called a “silent killer,” ...

Aortic Aneurysm - Cause Of Death For George C. Scott
Abdominal aortic aneurysms are the 13th leading cause of death in the U.S. Rupture of an abdominal aneurysm is a catastrophe. It is highly lethal and is usually ...

And those weren't tabloid newspaper headlines. Those were web pages from reputable sources (a university hospital and a division of WebMD). By this time my partner was urging me to calm down. She did her own googling and pointed out that even the Silent Killer article actually said, towards the bottom of the article:
"Fortunately, at least 95 percent of these aneurysms can be successfully treated if detected prior to rupture. Finding and treating an aortic aneurysm before the aneurysm ruptures is vital for patient survival."
And this is where I see the connection to one of the great challenges of cybersecurity awareness: how do you persuade people to act in ways that reduce the risk of something causing them considerable harm, but without freaking them out? Here are three cybersecurity examples to consider as we try to answer this question: 
  1. If criminals get your Social Security number and decide to abuse it, the effects can be very upsetting and potentially costly. That's why you need to protect such information.
  2. If criminals acquire your credentials for the network at the hospital where you work, the effects can be very upsetting and potentially deadly. That's why it's important such protect such information.
  3. If an adversarial nation state actor acquires your credentials for the network at the power plant where you work, the effects can be very upsetting and potentially trigger regional destabilization that leads to armed conflict. So be sure to protect your network login.
I don't see anything factually inaccurate about these statements and all three are making worthy assertions about protecting information systems; but it seems to me that there's something "off" in #2 and #3. They escalate from security awareness to "deadly" and "armed conflict" in a way that might be alarming and unhelpful to a general readership. But these examples do help us to focus on a difficult question with which security professionals have wrestled for decades: how far should we go make a point? 

Consider what my good friend Winn Schwartau said in testimony to Congress in 1991: "Government and commercial computers are so poorly protected today, that they can be essentially considered defenseless. An electronic Pearl Harbor waiting to happen." In my opinion, then and now, that was a valid statement and made a point that urgently needed to be made. 

However, other people, now and then, have criticized this testimony as alarmist, an adjective that the OED defines as "a tendency to exaggerate potential dangers or an eagerness to express fears or concerns publicly; esp. that creates needless worry or panic in this way." In other words, raising the alarm can be a good thing, but not always, depending on how, when, why, and to whom you do it.

One traditional approach to the balancing act we might paraphrase as "alerting people to something that could cause them considerable harm without freaking them out" has been to adjust the message according to the audience. Get it right, which I believe Winn did in his 1991 testimony to Congress, and you are performing a valuable public service. Get it wrong and you can end up getting all kinds of grief.

Ironically, nearly three decades later, that balancing act is trickier to perform than it used to be, thanks to the World Wide Web. What I mean is that publishing information on the web is not targeted, even if you think it is. You might write for a technical-savvy audience and think that's who is going to read what you write, so you can assume they will interpret your meaning accordingly. But unless your writing is hidden from search engines and/or protected by a paywall, your words may be read by people from a wide range of backgrounds, with varied levels of education, holding a variety of differing views about life.

That is why the guidelines for creating awareness content intended for use during Cybersecurity Awareness Month include the following advice: 
  • Don’t write material that feels threatening or fear-based
  • Avoid painting scenes like cyber-criminals waiting at every online intersection ready to steal social security numbers
  • Promote practical, empowering steps people can take

My initial reaction to seeing those guidelines was concern that they did not align with the sense of urgency that I feel about the need for humans to do better at cybersecurity. But on reflection—remember I said this was a day of reflection—I think they strike the right balance for messaging to the general population. 

There are indeed practical steps that people can take to reduce the odds of becoming a victim of cybercrime, and we should make sure everyone is aware of them. That is what cybersecurity awareness is about. The work that needs to be done to get politicians and policy makers to address cybersecurity with greater vigor than they have so far, that is something else.

Finally for today, if you're still wondering—and I hope you are—what happened with the aortic aneurysm alert that kicked off this article, here's the short version. After a less than happy weekend, I saw the cardiologist early the next week. He told me the aneurysm was relatively small but I needed to keep my blood pressure low, eat less salt, and more bananas (for the potassium). When I asked him how I could tell if the aneurysm was becoming a serious problem he said: "You'll just feel a sharp pain in your back but it won't last long because you'll soon be dead."

Shortly after that I got a second opinion, from the Mayo Clinic. The cardiologist there told me I didn't have an aneurysm and I would probably be fine if I avoided all alcohol and chocolate, kept my blood pressure low, ate less salt, and consumed more bananas (for the potassium). I cut back on most chocolate and all alcohol (ironically, just before going on a trip to Moscow with Winn, but that's another story). 

I also quit my somewhat stressful job as Chief Security Execute for an Internet provider (to help with the blood pressure and take stock of my life). Then, after about five years—during which we had to struggle hard to survive the Great Recession and my atrial fibrillation got worse—I went back into cybersecurity, working for a company that had an excellent health plan. 

So I saw a cardiologist about my AFib and, after a failed attempt to reboot my heart in the hopes of restoring a normal rhythm, he said there was nothing else he could do for me ("just keep taking the potassium pills"). That motivated me to figure out the underlying cause of all my heart problems. Turns out it was a condition called primary aldosteronism, which can sometimes be corrected with surgery, and in my case it was. I still have a wonky heartbeat, but my blood pressure is fine without any medications or added potassium.

And that's why, when it comes to dealing with risks, early awareness and accurate information are important, as is an appropriate level of motivational fear. However, when you're trying to reduce risk, there's nothing like addressing root causes.

Do your part, #BeCyberSmart

No comments: