FUD or Fear, Uncertainty and Doubt is an often used marketing tactic, and not only within the information security industry. Exaggerating risks, presenting risks without substantiating factors and citing flaky supporting evidence are three of the most common tactics used. By spreading FUD, users often believe they need to buy something now to prevent imminent risks. FUD also paints a distorted pictures of threats and scenarios. How are we able to make an accurate assessment of a perceived risk such as an emerging threat?

Critical thinking. Imagine the following simple example, “Senior analysts reported a year on year increase of up to 30% on attempted security breaches.”

1. WHICH and HOW MANY senior analysts, analysing WHAT data and working for WHOM?
2. HOW is “year on year” measured? January to December? A Company’s accounting or reporting year?
3. “Up to 30%” is a largely meaningless statistic which can be rewritten to be, “Somewhere between 0 and 30%”
4. WHAT is an “attempted security breach”? Who qualifies it? Who measures it? Who reports it and to whom?
5. WHAT type of “attempted security breach” was covered? Do these types apply to me?

FUD appears to be so rife in infosec – I’m not sure though. I believe that infosec types are naturally curious, critical thinkers and so the FUD stands out more. Our FUD is no more special than anyone else’s FUD found across global industries and marketing practices.