How to lie with statistics was written by Yale Professor Darrel Huff in 1954. Now, 60 years later, many things he described as misuse of statistics are common place. He considered it ridiculous, for example, to take the combined years of work experience of the people at a company and add them together and say that the company itself has “over 150 years’ experience” when the company was actually founded 18 months ago. Since then, it’s been done (a lot).
In reading press releases and in talking to vendors over time, I’ve come up with my own list of statements where we are invited to determine that a risk is lower than we might think. The “low risk” determination is based on logic that will not hold up to scrutiny. That’s not always lying, of course. Sometimes it is just that a legitimate compensating control is given way too much credit. Here are the ones I can never forget:
- The equipment is old and way past end of life but the manufacturer has a reputation for making high quality equipment and it has never gone down. So the information security risk of using the equipment is low
- We don’t use strong passwords in our software but the sensitive data it stores are not at risk because you are running the software inside your firewalls
- By choice, we do not encrypt all our laptops but we have a policy against anyone putting sensitive data on an unencrypted laptop and leaving the building with it so the risk of a breach is low
- Yes, installing the software in your environment is low risk. We have security as part of our Software Development Lifecycle (SDLC): we compile the software on servers that run anti-virus software
- The database is in our data center behind lots of security. You might be able to hack individual POS terminals/workstations but you would not be able to steal the data wholesale so the risk of a large breach is low
- The tapes are not encrypted. But it takes special equipment to read those tapes so the risk that the data will be breached is low
- The data are not encrypted in transit but we use a special port to send the data out when it leaves your network. It does not go over port 80 where most internet traffic goes, so it will be hard for hackers to find
- Technically, it is not encrypted but we use a compression algorithm to store the data so if you brought the file up in a text editor, you could not read it
Like my last post about the term “best” in the phrase “best practice”, the phrase “low risk” is, sometimes at least, a bit of an overstatement. Or, as an even older post points out, some people in the organization are “tellers of tales”. They have valuable places in an organization. But their only relationship to risk analysis should be as an audience for it.
As an auditor your list of compensating controls made me laugh – Jim