Sunday, July 30, 2006

Security Trends

Sean of F-Secure avers "that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better". [Exploit Wednesday, via Emergent Chaos]

F-Secure does seem to have some evidence for the growing sophistication of malware attacks, and a plausible explanation for the fact that these attacks are less visible. But explanation is not evidence.

Point One. Even if visible attacks are decreasing, this doesn't provide conclusive evidence that invisible attacks are decreasing.

Point Two. The lack of evidence that invisible attacks are decreasing does not imply any evidence that invisible attacks are increasing.

But that's not quite what F-Secure says. F-Secure avers that the reduction in visible attacks provides evidence that invisible attacks could be increasing.

But this is rubbish. We don't need evidence for the possibility of increased attack; it's not something that requires evidence. What we want to know, which F-Secure avoids telling us, is some measure of what is going on. And F-Secure is not offering us any evidence that is relevant to this question.

This illustrates a general problem with evidence-based policy in risk and security matters. When preventative action is effective, it is often difficult to demonstrate its necessity. So security experts and vendors feel themselves obliged to talk up the (sometimes counterfactual) possibility of attack, without always being able or willing to present concrete evidence of the incidence of attack.

Technorati Tags: