Concensus of 2015 security predictions

I find many security predictions unusable, uninteresting and often just pure marketing material or even misleading. Just for the fun of it, I still like to see the big picture of latest predictions. As in previous years I got security predictions from ten different companies and instead of reading them all, I just put all predictions together and created a word-cloud from combined text.

I used predictions from the same companies as last year: Fortinet, Information Security Forum, Kaspersky, Microsoft, Sophos, Symantec, WatchGuard, Websense, Trend Micro and FireEye.

Here's the "concensus" word-cloud:

2015 security predictions

Compare that to last year's predictions:

2014 security predictions

Couple of observations. The big ones - as in previous year - are data, devices, mobile and malware. There's a bit more focus on information now, not just data. In 2015 cyber is back. It was big on 2013 list, but less so last year. On the other hand, privacy have disappeared. It wasn't big before, but at least it was there.

My summary last year was: Expect data-stealing malware attacks against all devices.

Since no groundbreaking threats are seen, my summary this year is: Expect attacks against Internet-facing (cyber) systems. The attackers are more likely to go after valuable information, not just raw data.

This year I also tried another approach. I created a separate word-cloud from only the topics of security threats found from the predictions:

2015 security threats - topics only

Interestingly, from that picture, Internet of Things pops out. However, since the vendors often like to play with words when thinking of topic names and headlines, I find the full-text word cloud more interesting. Can't deny the security threat of IoT, though.

Feel free to make you own interpretations or - god forbid - read the individual predictions. You may also check this good summary of the 15 security predictions for 2015.

To me personally, the most useful security predictions document is Information Security Forum's (ISF) Threat Horizon report. It's freely available only to members and for others it's a bit expensive. However, a year old The Executive Summary of Threat Horizon 2016 is downloadable for free (requires registration). A new Threat Horizon 2017 should be out for members pretty soon now.

The Executive Summary of Threat Horizon 2016 shows this threat development according to global member organizations of the ISF:

Check also my word-clouds from previous years. Word-cloud of 2014 security predictions and Mother of all 2013 security predictions.

Information increases security

The complexity and connectivity of ICT-systems are increasing faster than ever. New technology innovations are born frequently and IT is embedded in all imaginable things. This fast-paced change guarantees, that information security challenges will be plenty. No one person can master the whole huge information security field. Being "an information security expert" is as impossible as being "an Internet expert". Information security professional can be either a generalist, who has wide understanding of the field, or a specialist, who has deep knowledge of one or two specific areas.

The flood of information is a challenge. There is so much to read, watch and learn. Self-motivated learning is a must for information security professionals. I strongly believe in Friedman's formula CQ + PQ > IQ, which says that curiosity and passion are more important for professionals than intelligence.

I recommend Twitter to all colleagues who want to keep themselves on the pulse of information flow. Books, magazines, blogs and research papers are good sources for getting deeper understanding of selected information security topics. Network with you colleagues to share practical experiences - what works and what doesn't. Conversations with fellow experts are also a good therapy - it's soothing to know that everyone has same challenges with their information security programs and practices. Nowadays many seminars are mostly good for networking rather than actually learning something new.

When you are experienced enough and feel that information security talks and challenges start to be same old stuff over and over again, it's time to broaden your horizon. For example better understanding of risk management, business management and behavioral economics will give you tools for applying your information security skills in new and innovative ways. I have find Coursera online courses valuable learning tools.

It's said that the more you learn the better you understand how little you know. In other words, if you think you already master information security, you are still a novice.

Finnish version of this text is available here.

How to convince the board to accept information security investment?

In last years I've been involved in some information security research projects led by a Finnish University. One of these projects studied what makes the executive board to accept a security investment proposal. Professor Mikko Siponen, who is responsible of this research, has given couple of public presentations explaining the findings. Mikko was ranked best European Information Systems researcher on 2011 and 2012 (world #29) by Association for Information Systems.

Since there's no public version available in English, I summarize here the main points of the research findings.

Earlier research on information security investments is based on following assumptions:

• decision makers can assess risks neutrally
• decision makers are able to make rational decisions based on complex calculations
• investment has a linear effect to risks
• all relevant information is available
• decision makers know all the possible choices
• decision makers always try to maximize net profits

In reality the assumptions are not realistic:

• information is asymmetric and incomplete
• some information is subjective (opinions) or guesses
• adversaries may have other goals than maximising profit
• calculations require simplified models

The research:

• questionnaire was sent to 690 biggest Finnish businesses
• 134 answers, mostly CEOs, Executive Vice President and some CIOs
• questions were information security investment scenarios and the respondents were asked about their decision
• each person got five scenarios, which were randomly selected from 162 different scenarios
• scenarios had elements like: negative vs. positive presentation approach, likelihood and possible impact of the security threat, cost of mitigation/countermeasures (security investment)

The goal was to study decision making styles (rational vs. emotional) and persuasion methods.

Findings from the study:

• in general persons who respond to emotional arguments, tend to support the investment proposal presented in a negative manner (e.g. emphasizing threats, losses)
• in general persons who respond to rational/factual arguments, tend to support the investment proposal presented in a positive manner (e.g. emphasizing benefits)
• increasing likelihood and severity of the threat effected positively and linearly to the investment decision
• increasing costs of the investment decreased linearly the willingness to invest
• investment proposal presented using negative language (threats) is more likely to be accepted than the proposal emphasizing positive outcomes
• even investments meant to tackle low level threats are not so easily rejected, when presented in a negative manner
• information security investment is a complicated process, which success factors are rarely understood by any individual alone
• ROI and ROSI do not play any significant role in information security investment decisions
• CISO must get allies from different levels of the organization
• CISO needs to understand both the management view and the "regular" staff  view
• CISO's communications skills and personal relationships to other players are very important
• a justified need for the information security investment coming from the organization helps to get the investment accepted
• one key challenge is that the need for the information security investment is usually crystal clear for the CISO, but it's not so for the management and the staff
• clear organizational responsibilities are important
• In general, staff support of the information security solution (investment) and solution's usability, suitability to current processes and social acceptance are more important factors than strength/quality of the solution or ROI/ROSI calculations

I hope I managed to catch the core points of the research. I can't give more background information or justifications of the results since I'm not the researcher:-)  It's easy for me to agree with the results, though.

Word-cloud of 2014 security predictions

A year ago I wrote a mother of all security predictions. I created word-clouds from 2013 security predictions of 10 different companies and also a separate word-cloud from combined texts of all them. Creating the word-clouds was more fun than actually reading the predictions:-)

Now, just after Christmas, I'm feeling even lazier and decided to create only one world-cloud from the combined predictions of following companies: Fortinet, Information Security Forum, Kaspersky, Microsoft, Sophos, Symantec, WatchGuard, Websense, Trend Micro and FireEye. My intention was to use same companies as last year, but couldn't easily find anything from Stonesoft (McAfee) and F-Secure. Got Trend Micro and FireEye instead.

Here's the word-cloud made with Wordle.

2014 security predictions

For the comparison, here's the last year's word-cloud.

2013 security predictions

What can we see from these? Mobile doesn't seem to be on predictions focus so much as last year and data has more visibility. Malware attacks seems to be on everyone's map, targets being devices in general, not just mobile devices. Since everyone mentions data a lot, it could mean that attackers are predicted to be after valuable data more than trying to just blackmail or create havoc.

So, number 1 security prediction for 2014 is: Expect data-stealing malware attacks against all devices.

No surprise there. What actually surprised me was that word cyber didn't dominate the cloud. I take that as a positive sign.

Why people open dangerous email attachments despite all awareness campaigns – are their stupid or what?

Just recently I followed Duke University's online course, A Beginner's Guide to Irrational Behavior, which was taught by Professor of Psychology and Behavioral Economics, Dan Ariely. The course was excellent and motivated me also to read Professor Ariely's books.

Got a certificate:-)

The course had a small writing assignment to show that teachings were internalized. I, of course, decided to write something security related keeping in mind that the readers are not security experts. I chose my topic to be

Why people open dangerous email attachments despite all awareness campaigns – are their stupid or what?

Common way to spread computer viruses is via email attachments designed to infect user’s computer. Without clicking the attachment the computer doesn't get infected, so the user must be lured to open the file. Although organizations put lots of effort in order to educate users not to open suspicious attachments, someone will always do. Lots of money is spent in order to automatically recognize and delete these malicious files, but there are always new tricks to circumvent the countermeasures. Not to mention that number of viruses has sky-rocketed in last years.

Here’s a typical example of email including an infected attachment I got recently, apparently coming from Bank of America:

Transaction is completed. $39976449 has been successfully transferred. If the transaction was made by mistake please contact our customer service. Receipt of payment is attached.

Problem from organizations point of view is that these malicious files are emailed in masses and it may take only one user to click the attachment to open it and the whole network will be infected.

Common saying is that user is the weakest link of security meaning actually that users are stupid and lazy. I would say that computer programs are not designed correctly taking human intuition and behavior into account.

Why people tend to open malicious attachments? I can think of several reasons. First, we get legitimate attachments all the time which we need to open, so it’s common practice for us and anchoring bias makes opening attachment a default behavior.  Second, these scams usually offer us richness, love, health or something everybody usually wants and it’s FREE. Third, email spreading virus usually have falsified sender name which seems legitimate. Fourth, understanding computers, software and viruses is complicated. Hence we take the path of least resistance and just click the attachment. Fifth, although we've been informed about dangers of viruses and how to behave in a secure manner, it has probably been a while ago and these awareness trainings don’t have long-term effect. In my mind security awareness trainings are comparable to reminding about morality.  I could think even more reasons, but this will do for now.

What to do, then? Obviously we have to enhance automated security measures to make sure that more viruses get caught before users even see them. However, it’s impossible to catch them all. I think that first we need better computer operating systems to prevent infections or at least make it much more difficult. Then we need intelligent email clients which can learn from user’s email communication how typical email from that users point of view looks like. Finally we need to remind the user about virus possibility just before she opens the file. Clicking the attachment could give a reminder explaining why the email software has categorized the attachment as dangerous and what could be the unwanted consequences of opening the file. User gets the warning just in time and need to verify, if she really wants to open the file. Naturally the default must be not opening the file. The trick here is to make email software intelligent enough, so that user doesn't get false alarms and that the user doesn't need to make these decisions too often.

In general software companies need to understand human behavior and especially irrational behavior much better and make use of that knowledge when designing software. It’s not the users of software that are the weakest link – it’s the programmers who don’t make software suitable for users, but instead force them to make tough decisions in complicated environment.