The CIO of a major bank in Australia, speaking before a gathering of his peers from other financial institutions, recently announced that they “should use the tactics of Fear, Uncertainty, and Doubt to convince senior management to invest in security”. “While senior management may be aware of the risks to their information infrastructures,” he advised, “they often do not fully understand the damage that a breach in security can cause a business. Fear, Uncertainty, and Doubt can also motivate board members to take direct action to mitigate risks”.
The Australian CIO did not originate the term “Fear, Uncertainty, and Doubt.” In fact, these three words are so familiar to many information security professionals that they have become abbreviated as an unappealing acronym, FUD. Originally invented to describe the sales tactics of major hard- and software manufacturers, FUD has now become associated with a persuasive means of convincing corporate managers that human and financial resources should be allocated to the information security function. A prominent American technology professional, quoted in CIO Magazine, claims simply: “Fear, uncertainty, and doubt—FUD--has been used to sell security. If you scare them, they will spend”. Information security is the antidote to FUD; its purpose is to introduce controls to dispel fears of losing data, funds, and privacy. As succinctly stated by Shelton Waggener, another American CIO: “Security is really an insurance policy”. Eric Goldman, Director of the High Technology Law Institute at the Santa Clara University School of Law, offers a rephrase of Waggener’s sentiment: “There is no real wealth created by the investments in security, it is just a cost of everything we do in our lives”.
This document is in PDF format. To view it click here.