“Statisticising”​ cyber security

Last night I went fishing in our new boat and we caught 2 Dusky Flatheads, ugly but a great eating fish, sorry I digress but it seemed important at the time, here they are – we had no time to name them: 

Sorry I got distracted – a challenge with the modern day, living in short snippets called ‘likes’

So anyway: a thing happened today, my Linkedin statement was for the first time ever “called out” as being a “Liars Paradox”, I don’t know what paradox means so ignore! But it made me think (a lot) and I don’t like to be left thinking on a weekend so I did what any geek/nerd/loser like do in my shoes, that is to not let it go!

This is my bio:

90% of statistics are made up, the other 10% simply untrue. Join my movement for cyber security to be about business improvement and resilience, cyber security for the right reasons not hyperbole and fear mongering.

I want to explain, because there is this thing about statistics and specifically cyber security statistics (being my industry) that is dirty and devious, and not effective either. 

Statistics are the 20 teens (2010 – current) sugar, BAD for you, the sugar  industry tried to cover this up and were successful for many years (https://ali-alsous.medium.com/the-low-fat-myth-83ce487511bb) ……. 

Now the problem was/is that too much of it is bad for us, causing weight gain, leading to cancer and creating lethargy in us (sugar, not statistics!). Though statistics do not cause cancer or weight gain – luckily because otherwise we are all doomed, statistics do cause lethargy and a bad taste in our mouths and other time we become immune – just as a pancreas in a diabetic stops processing sugar when the owner of that pancreas consumes too much of it.

In the Cyber security industry, most cyber security vendor organisations are using statistics to lightly “dust” us all in sweetness (or fear) about the impending doom ready to befall your business if you do NOT buy product X immediately, showing us through charts and figures the devastation that is exploding to the left and the right of our business. 

Once you do relent to the barrage of phone calls and emails because you agreed to “find out more” and purchase their new cyber security widget, the “hit” of the sugar rush leaves quickly and YOU have a new baby to look after, I don’t know about you but one baby is easy… two is difficult …. Three would be a nightmare! – how many cyber security tools are there? 

Expanding on statistics:

To look at a few that are most likely to be accurate because they are a government body, but still be cautious as the objective of the Australian Cyber Security Commission (ACSC), is to have all of Australia cyber secure so even their statistics though hopefully impartial will be influenced by their mandate, maybe financial because of funding, maybe to show more success (or more fear). It does not necessarily mean “untruths”, just selected data.

Note: I am not questioning the data presented by the ACSC as they are a reputable organisation entrusted with helping all Australians.

No alt text provided for this image

Figure 1 ACSC 20-21 annual cyber report

With the chart above, what stands out is that the Commonwealth government seems to be almost completely affected by cyber crime, can this be true?

Well maybe not:

  • Firstly is that the chart scale is 0-20%, so immediately the presented view of the statistic may over emphasises the scale of the problem. 
  • Secondly, is there another reason why Federal government is number one and other gov is number two? This result is extremely possible because government departments take their reporting requirements much more seriously than any private sector organisation.  

Reviewing this government report by the ACSC exemplifies with real statistical data that what is presented does not reflect the information with any scale, it reflects a view, or a collection of views on the state of cyber in Australia. 

No alt text provided for this image

Figure 2 ACSC 20-21 annual cyber report

Two important statistics are mentioned above and a third for those of us who can not do our own math, including myself (I was terrible at Math!)

  • 15% increase in ransomware attacks? Now that is a statistic that I could use to encourage my customer base to improve their cyber resilience right? Well yes until the next statistic is introduced…
  • Oh 500 ransomware reports received in 20-21? Then 15% is a rounding error, maybe last year businesses were not as likely to report a ransomware attack.

As of June 30 there were 2,402,254 actively trading businesses in Australia (source: https://www.abs.gov.au/statistics/economy/business-indicators/counts-australian-businesses-including-entries-and-exits/latest-release)

  1. 15% more businesses were affected by Ransomware in 2020-21 (reported), or
  2. 0.000208% of all active Australian businesses were affected by ransomware in 2020-21 (reported).

Both are correct: the first statistic makes a better headline, yet the second statistic reflects the reality. 

Information is great, while statistics are being used to create demand, never believe statistics unless you have the criteria used to derive the results and you agree with the premise being presented to you, part of critical thinking is to question – or so I am told. 

 What does this mean for your business, well firstly – Do NOT panic that you need to do something now because the latest vendor presentation displayed some alarming “statistics”, instead spend some time and review your assets, applications and people and if you do not have the resources to do this then engage a trusted partner to help you with these steps (do not do a free vendor assessment! Remember what your parents told you about free). 

You probably have the tools you need from a product standpoint, your business is probably already using M365 or O365 licenses and even with E3 or F3 licenses your organisation is able to do the most critical parts of the ASD essential 8 without additional costs except time and training. 

The third party vendor tools for virus protection you are using today most likely can be used to achieve the next level of cyber resilience you wish to obtain so discuss with the vendor. 

Finally let us start a movement, a movement for the freedom of raw data from ‘bad’ people who statisticise  (I made a word!) information while avoiding the truth about how data was gathered.

Lets join Data and Statistics together, whilst using the sources and scales to illustrate the overall message that is accurate and honest, no more lies, Let the data tell the story not the stat!

No alt text provided for this image

Have a great weekend, I am going out now for Bo ne (Vietnamese Beef steak in Springvale is amazing!)

Leave a Reply

Your email address will not be published.