Top 5 Abused/Misused/Miscontrued Terms in Information Security

You have all heard them posted from atop the Internets in the form of a blog posting, white paper or marketing collateral; references to theoretical physics, military strategy and Dilbert cartoons. Memes splashed with a dollop of self-aggrandizing and a pinch of navel lint. They are the top 5 abused, misused and misconstrued terms in information Security…

1. Paradigm Shift: Used by every marketing person to convey the revolutionary pendulum shift created by their companies latest widget – Foucault would be proud (here), mostly because he loves pendulums, Kuhn (here), however, would not be, since he specifically bounded the term to hard sciences. Information security is not a hard science, hell we can’t even measure it (here)

2. Game Theory: Security folks love games, they also love theories, so it seems obvious that they would love game theory. There is nothing inherently wrong with the use of game theory to describe computer security, it’s just that it assumes less variability than actually occurs in the dark places between the keyboard and the chair. Speaking of games there is a worm that targets Grand Theft Auto 4 (here), or more accurately targets GTA4 fans who use peer-to-peer networks to share pirate steal distribute files.

3. l337 5p34k: Slang jumped the shark decades ago when organized street gangs took prison lingo to a new level of communication as part of their criminal enterprise. Computers introduced a new shark. l337 speak (here) has become one of the more annoying side effects of the collision between illiterate hackers, uneducated security professionals and text messaging. Whether you are 12, 22 or 42 if you use leet speak then ur teh suk.

4. * is dead: Killing products or markets is one of the more liberating aspects of being an analyst – paid and armchair alike – from PKI is dead, to IDS is dead, to AV is dead, to GRC is dead, to security itself is dead, it seems like every time you turn around someone is killing something in security. Unfortunately no one seems to be focused on killing the threats themselves. Interestingly enough all of the technologies that are pierced through the heart with the mighty pen of analytical bravado seem to be thriving at some level. The reality is that technologies rarely die, Windows Vista aside, the majority of technologies evolve. So it is far more appropriate to say IDS evolves, or AV evolves, or security evolves but that is far less controversial and no one wants less controversial in a world screaming for cage match analysis and bare knuckle blogging.

5. Security ROI: Security ROI is the white whale of the security industry. Some have been tracking the beast for decades, convinced that once achieved it will spring forth a fountain of incontrovertible proof that security can in fact save you money or more appropriately that vendors can sell you more stuff. Yes we all know that security costs money and bad security can costs lots of money but making an economic case for security investment will only leave you cold and alone in the best case and standing next to a freeway onramp with a “Will secure your WAP for food” sign in the worst.

Other terms that were considered for inclusion on the list but didn’t meet the judges exhaustive criteria for the top 5 included; FUD, DLP, CMF, IDS, IPS, PFW, AV, AS, SCAP, FDCC, CVE, CVSS, CPE, CCE, OVAL, XCCDF, PCI, SOX, HIPAA, GLBA, FISMA, COSO, COBIT, CISSP, ITIL, ITSM, CMDB, NAC, GRC, Rich Mogull, infomation centric security, data centric security, twitter, virtualization, virtualization security, virtualized securty, secure virtualization, security of virtualized environments, business alignment, business enablement, metrics, risk management, in the cloud, security as a service, vulnerability disclosure, black hat, white hat, grey hat, zero day, SCADA, hacking, cracking, freaking, phreaking, phracking, security awareness, Sun Tzu, and of course quantum anything…if you feel the judges neglected a term please let us know so we can include the entry in next years contest.

17 thoughts on “Top 5 Abused/Misused/Miscontrued Terms in Information Security

  1. Pingback: Network Security Blog » Rich almost made the list

  2. I think “Audit Requirement” is over used. I hear “Audit Requirement”, yet my CISA’s can never tell me if it’s PCI, SOX, HIPAA, or best practices.

    What’s worse, try and get the standard you should apply them to:

    Auditor: You’re user account policies don’t meet audit requirements.
    You: ORLY? (sorry couldn’t resist), which requirements?
    Auditor: The requirements we tested them against.
    You: …oh okay…well what should they look like?
    Auditor: Uh…well I’m not supposed to say, I can point you in the right direction, but I can’t suggest corrective action.
    You:…so we have a problem but you can’t tell me what, or how to fix, or what basis the problem exists?
    Auditor: I think your attitude is out of compliance.

  3. @Eric

    Ah, yes that’s a good one. When I was a Gartner Analyst I covered the SIEM market, among other things, and in the 2004/2005 time frame I would often receive calls for SIEM technologies driven by audit requirements…

    Client: I am looking for a SIEM or Log management tool that can collect logs from all networking and computing devices on my network and then store them for at least 3-5 years
    Me: Ok, I can tell which tools provide those capabilities but first I would like to ask what problem are you trying to solve?
    Client: Uhmm, well we had an audit and the auditor told me it was a requirement for SOX.
    Me: Well I think you have an overzealous auditor. I would suggest that if this doesn’t provide any other benefit to the organization than satisfying the whims of an auditor you should push back.
    Client: You can push back?
    Me: Yes, of course, let me send you some research to help you form your thoughts and provide some insight to deal with auditors.

  4. This got me all a-twitter, thinking that the paradigm shift created because l337 5p34k is dead would create a synergy between my ROI and….

    aw, I’ll stfu

  5. @Arthur

    They were considered but didn’t make the top 5. They are listed in the term cloud at the end of the post as risk management and security awareness

  6. Pingback: Yi-Feng Tzeng’s Blog » Blog Archive » Top 5 Abused/Misused/Miscontrued Terms in Information Security

  7. Here you are my Top 5:

    1- Gartner Report, Every vendor claims that they are the Market Leader and any vendor can find the appropriate Gartner Report where his product is positioned in the Magic Quadrant

    2- Web 2.0. AJAX, et al. People love to mention such terms in their presentations in order to make you feel that they – as well as their products – are up to date, even if their product has nothing to do with such terms at all.

    3- Hardened OS, When a Security Vendor decides to choose a General Purpose Vulnerable and Insecure Operating System, they call it Hardened Operating System.

    4- Mitigation, Can someone please explain to me what’s the meaning of this term.

    5- DoS, When someone knows nothing about Vulnerabilities and Threats and just want to scare you be mentioning some scary technical names in order to convince you to buy his product, he will simple use the term Denial of Service Attack.

  8. hi
    i have a course work based on the data misused can anyone help me please as it is very im portant to know the a detailed description of data misused

  9. Pingback: Cyber Security Game Theory

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s