You have all heard them posted from atop the Internets in the form of a blog posting, white paper or marketing collateral; references to theoretical physics, military strategy and Dilbert cartoons. Memes splashed with a dollop of self-aggrandizing and a pinch of navel lint. They are the top 5 abused, misused and misconstrued terms in information Security…
1. Paradigm Shift: Used by every marketing person to convey the revolutionary pendulum shift created by their companies latest widget – Foucault would be proud (here), mostly because he loves pendulums, Kuhn (here), however, would not be, since he specifically bounded the term to hard sciences. Information security is not a hard science, hell we can’t even measure it (here)
2. Game Theory: Security folks love games, they also love theories, so it seems obvious that they would love game theory. There is nothing inherently wrong with the use of game theory to describe computer security, it’s just that it assumes less variability than actually occurs in the dark places between the keyboard and the chair. Speaking of games there is a worm that targets Grand Theft Auto 4 (here), or more accurately targets GTA4 fans who use peer-to-peer networks to share pirate steal distribute files.
3. l337 5p34k: Slang jumped the shark decades ago when organized street gangs took prison lingo to a new level of communication as part of their criminal enterprise. Computers introduced a new shark. l337 speak (here) has become one of the more annoying side effects of the collision between illiterate hackers, uneducated security professionals and text messaging. Whether you are 12, 22 or 42 if you use leet speak then ur teh suk.
4. * is dead: Killing products or markets is one of the more liberating aspects of being an analyst – paid and armchair alike – from PKI is dead, to IDS is dead, to AV is dead, to GRC is dead, to security itself is dead, it seems like every time you turn around someone is killing something in security. Unfortunately no one seems to be focused on killing the threats themselves. Interestingly enough all of the technologies that are pierced through the heart with the mighty pen of analytical bravado seem to be thriving at some level. The reality is that technologies rarely die, Windows Vista aside, the majority of technologies evolve. So it is far more appropriate to say IDS evolves, or AV evolves, or security evolves but that is far less controversial and no one wants less controversial in a world screaming for cage match analysis and bare knuckle blogging.
5. Security ROI: Security ROI is the white whale of the security industry. Some have been tracking the beast for decades, convinced that once achieved it will spring forth a fountain of incontrovertible proof that security can in fact save you money or more appropriately that vendors can sell you more stuff. Yes we all know that security costs money and bad security can costs lots of money but making an economic case for security investment will only leave you cold and alone in the best case and standing next to a freeway onramp with a “Will secure your WAP for food” sign in the worst.
Other terms that were considered for inclusion on the list but didn’t meet the judges exhaustive criteria for the top 5 included; FUD, DLP, CMF, IDS, IPS, PFW, AV, AS, SCAP, FDCC, CVE, CVSS, CPE, CCE, OVAL, XCCDF, PCI, SOX, HIPAA, GLBA, FISMA, COSO, COBIT, CISSP, ITIL, ITSM, CMDB, NAC, GRC, Rich Mogull, infomation centric security, data centric security, twitter, virtualization, virtualization security, virtualized securty, secure virtualization, security of virtualized environments, business alignment, business enablement, metrics, risk management, in the cloud, security as a service, vulnerability disclosure, black hat, white hat, grey hat, zero day, SCADA, hacking, cracking, freaking, phreaking, phracking, security awareness, Sun Tzu, and of course quantum anything…if you feel the judges neglected a term please let us know so we can include the entry in next years contest.