The FISMA Focus IPD

From: CompuerWeekly.com

By Mark Ballard

Harvard Business Review exaggerated the risk of cyber attacks on the European public sector in return for money from Zurich Insurance Group.

Zurich sponsored a Harvard survey last year, and promoted it in February, raising fears of cyber attack among potential customers. Harvard Business Review Analytics Services conducted the survey. Harvard Business School Publishing released the findings.

Zurich said in February the findings may indicate “a false sense of security” about information security in the European public sector.

Harvard had found that only 40 per cent of public sector bodies in Europe regularly evaluated their information security procedures and systems. It found other reasons for concern as well.

Or so it seemed. Harvard’s survey sample was feeble. It’s findings were unreliable.

Harvard had interviewed just 8 people that Zurich could verify worked for public sector organisations. If forty percent of these regularly reviewed their information security procedures, it would have as much significance for the European public sector as a poorly attended Church hall meeting in Penge. It would have meant Harvard and Zurich had based their findings on the opinions of 3.2 people.

The survey may not have been quite that feeble. But it wasn’t far off. And both Harvard and Zurich were unable to defend their findings.

A demographic breakdown of survey respondents seen by Computer Weekly showed how another 33 respondents had classified themselves as working either in government, charity or education. If you guessed that a third of these were public sector, you might conclude Harvard had surveyed 18 people. If you assumed the very unlikely possibility that they were all public sector, then you could count them as 41 of those surveyed. Zurich said Harvard surveyed 49 public sector organisations. Harvard said it interviewed 152 people across a variety of business sectors. The demographic breakdown showed it had interviewed 137 people. It looked flimsy. Even if you said 40 per cent of 40 people, Harvard had based its conclusion about the security of an entire continent’s public sector on the testimony of 16 people. It wasn’t a survey, it was a whip round.

You might be forgiven for expecting more of the Harvard Business Review. But that is precisely why companies like Zurich will pay to use the Harvard brand. The brand is so good, the survey doesn’t have to stand up. People will swallow it whole if it’s got “Harvard” on the front.

Duh, okay

Of other key findings in the Zurich / Harvard survey, somewhere between 2 and 14 public sector people said they were worried about cyber attack. Between 0.7 and 4.4 people said they did information security training. And between 6 and 36 people said they were compliant with regulations.

Or as Harvard put it, 9 per cent, 30 per cent and 75 per cent of respondents – or as you were meant to take it, of public sector bodies in Europe.

Harvard was careful not to state that this was representative of the European public sector – this survey that gave every other impression that it was representative of the European public sector.

Yet neither did Harvard state what its findings did actually say in context. It only stated them in relation to those people who had answered the survey, like a cat food advert on the television, telling you half truths and lulling you with purrs and happy housewives.

By hiding the context, Harvard instead gave a very powerful impression this was representative of the European public sector. Zurich itself stated very clearly that this paltry survey did speak for a continent.

What it was in fact representative of was members of the Federation of European Risk Management Associations (FERMA). Harvard had asked a bunch of insurance risk managers what they thought about cyber security. They were of course very worried about it.

But that was not all there was to it. It was not just shoddy scaremongering to get people to buy more insurance. It was an attempt to lobby for the cause of companies and public bodies appointing chief information security officers.

The survey narrative went like this. Most companies are worried about hackers and viruses and things. There’s so many threats that it’s “bewildering”. You could lose money. You could get sued. Yet few companies have adequate information security budgets. Few executives even know enough about information security. Their security strategies are a bit disorganised. It’s a bit of a rabble, with some HR directors doing some security stuff, some CIOs doing some other security stuff, and chief execs assuming it’s all under control. But is it under control? How can you be sure when it’s such an effort to get everyone together in one place? By the way, did you know that very few companies have dedicated chief information security officers? Oh an did you know that very few companies buy dedicated cyber insurance cover?

Most of this is not necessarily true. Some of it is blatantly misleading. Some is outright untrue. But you get the point.

Marketable skills

And the point is that when you ask risk managers about risk they say it’s very risky. You don’t need to pay Harvard to tell you that. But Harvard did do a famous job of writing these obvious conclusions deftly into something that says nothing about nothing in a way that makes it really seem something.

The point is that when you tell a bunch of risk managers what they want to hear, you lend courage to their convictions. The report gives them some tips as well: how to persuade your board to give more credence – and therefore a dedicated chief, and hence a budget for insurance – to the cyber threat.  Get government security people to come and do a presentation. Gather examples of nightmare scenarios yourself and do a presentation to the board. Be an insurance salesman.

So the Harvard report gives a lot of time over to what it describes as cyber threats. But when it came down to it they weren’t threats at all, but fears. Fears expressed by risk managers.

Fears, that is, of professional worriers. 25 per cent of them, for example, were worried about “stealth attacks by organized crime, terrorists, or nation-states”. It is probably good that someone is worrying about it, in some corner office somewhere. But it is not, as Harvard put it, a “top 10 information security and privacy threat”.

Packaging fears as threats and using them to work risk managers up into a lather of righteous fright – that’s not quite what you would expect of Harvard, is it?

The primary statistic for the survey was fear itself. Fear that people might disclose the wrong information. A sort of vague phobia of computer networks. Fear of espionage. Fear of trusted partners. The survey concluded that we were not fearful enough.

And there was fear of European regulation. The report led through a tangle of contradictory reasoning to the conclusion that most of what people do in Europe to protect themselves against cyber threats they did only for the sake of regulatory compliance. No matter that this meant public bodies had actually got information security pretty well covered. Regulation was a pain in the ass. The US has been lobbying against EU privacy regulations and undermining them with treaties for years. Harvard was having a good moan about it too. Zurich must have been rubbing its hands. The alternative, by strong implication, was that the determinant of infosec precautions should be actuarial. If you think it’s a pain in the ass now, wait till you have a professional worrier on the board, an insurance premium bearing down on you and a bunch of hood-winkers at Harvard telling you we are all going to hell in hand cart, or whatever else it is they’ve been paid to tell you.

Bearing in mind the survey was rubbish anyway. BAE Systems Detica lent their support to this work as well. As did PRIMO, the public sector risk management organisation, and law firm DLA Piper.

Organizational behaviour

Josh Macht, group publisher of the Harvard Business Review, told Computer Weekly his report was a worthy and valuable exercise that should not be taken out of context. It had itself made an effort to make readers aware of the context in which it had been produced: a survey of risk managers about risk.

“What’s important is to understand the context of it,” he said. “And that these are the opinions of those people. You are making it sound like there’s a sensationalistic bent to it, which I think is laughable.

“What’s more important is less the number than the who. We are very clear with people that you are talking to people inside organisations who are scanning the horizon for risk, in Europe.”

Macht could not say whether the findings were statistically significant. He refused to say how much Zurich had paid for them. He insisted Harvard had complete editorial control over the whole project.

He said Harvard’s thing was understanding organisational behaviour. That’s what the survey was about, he said. It was about the way organisations viewed and dealt with cyber risk.

It seemed rather that Harvard was trading on the idea that it is interested in organisational behaviour. And that it had organised its knowledge into a tool paying customers can use to influence organisational behaviour. It was a finalist in the 2010 M&M advertising awards for “Best Contribution to a Media Campaign”.

Whether Harvard has as a result demonstrated how it is prepared to sell its reputation short depends on whether you think corporate priorities should trump academic priorities in a business school. If the alpha business school can do good business selling tissue-paper stories, academic rigour doesn’t really matter, does it?