Spoiler alert: of course, the guy won’t do that.

How many times the end of the world has been predicted?
Wikipedia
has a reasonable estimate.

Look these two
predictions:

• “There is not the slightest indication that nuclear energy will ever
  be obtainable. It would mean that the atom would have to be
  shattered at will.” —Albert
  Einstein,
  1932.

• “Spam will be a thing of the past in two years’ time.” —Bill
  Gates,
  2004.

Everybody is attracted to predictions. As humans, we are hardwired to
seek information in an attempt to cope with uncertainty. Some people,
for instance, consume astrology trying to foresee their future to
anticipate bad outcomes or feeling relieved about good ones. Others rely
on “spiritual gurus” believing they possess an “eye” into the future. In
business, the story is similar, but without the esoteric halo. Many
organizations and specialized news agencies publish their trends or
predictions in almost every sector of the economy for the upcoming (or
starting) year. Do a simple google search for trends: technology,
fashion, business, human resources, innovation, and more. There are many
predictions.

Nevertheless, there are several issues with predictions. The previous
quotes show how bad these predictions went. Nuclear energy has been a
reality for decades, and spam is still around causing problems.
Cybersecurity has its chunk of “trends publicity” year over year.

We looked at some of these predictions for 2020, those easily reachable
online, and we tried to do a simple classification. In the next lines,
we share the first piece of our comments regarding this exercise. We
found that some trends are no trends at all; some others reach a level
of consensus, and finally, we found some isolated predictions
insightful. We will focus on those dubious trends.

Fear will drive cybersecurity spending

We don’t know about you, but the moment we read that
subtitle
pointing to a cybersecurity trend, we were a bit shocked. If that is
true, we wonder what other aspects do writers think have driven spending
in previous years? Fear has always been a driver for behavior. In
cybersecurity, we can’t deny it plays a significant role, naturally.
That’s not new, and it’s not a trend. Furthermore, the figure used to
support this claim (“76% of organizations plan to increase their
cybersecurity
budget”)
does not imply fear only, but an array of reasons. We think the most
plausible is that some cybersecurity investments pay off.

In another place, we found this “trend”: “Information security
technology remains
important.”
Who said security technology would decline? Where’s the evidence? If
almost everything now is a piece of software, who dares to say that
security technology would become useless? Security technology evolves
like any other technology. We were shocked to read this as this implies
there was a claim in the other direction, but the writers offer nothing
from which this trend could be stated. Maybe the trend is that
organizations will renew their security technology at a faster pace?

“A Growing Awareness of the Importance of
Cybersecurity”
No shit! As in the “fear” trend, this one points to the expected growth
of cybersecurity spending. In principle, it sounds plausible. But one
should ask: who is “aware” here? Organizations as a whole? Its top
management? Their employees? It might be the case that precisely for
the lack of awareness, organizations are spending more in
cybersecurity. In other words, behaviors that contribute to security
seem not to support the claim of higher consciousness.

The premise pointing to a higher awareness could be used precisely in
the opposite direction, so this trend is very unclear. A few people also
consider “awareness training” as a trend, based on more training
demanded by companies. Again, this probably shows that awareness is not
growing, so organizations are investing in this training, expecting to
raise it. Cybersecurity spending is not a reliable indicator of
awareness as a whole. One last thought: do awareness translate into
behavior? Scientific studies have found this is hardly true in plenty of
circumstances (see for example Sheeran, & Webb, 2016, about the
intention-action gap; a specific case in cybersecurity is discussed by
Bada et al., 2019). Be mindful of the goals your company pursues when
analyzing to invest in cybersecurity awareness training.

To conclude, a final exotic example: “Security is integrating with data
science.”
Current buzzwords are also pervasive in these publications. What the
f*ck do they mean by “integrating with data science”? Maybe the wording
is not appropriate. Writers of this trend probably wanted to say this
instead: data science —applied statistics, given availability of
programming and processing power— is being used more in cybersecurity,
and that’s undeniable. Data science is being used increasingly in all
sectors of the economy to deliver more value. However, if we take this
sentence literally, it is hard to understand what it means. We didn’t
find any clarity on the source either.

As these examples show, we shouldn’t take trends for granted; we should
analyze these predictions critically. Vagueness and lack of precision
populate these claims.

One fundamental issue with most forecasts

We believe these trends we mentioned are, on average, based on good
faith. Nevertheless, most of them, if not all, will have no consequences
for inaccuracy; there’s no accountability for authors. That’s an
essential insight explaining why there are so many forecasters out
there. In essence, there’s no clear incentive or punishment for the
outcomes of predictions. When forecasters are confronted upon
inaccuracy, rationalizations kick-in. Moreover, most people just forget
about forecasters. Do you remember a very bad forecaster? Maybe not if
you also had no skin-in-the-game related to those forecasts.

Continuous hacking shows a higher value

We have never got into making forecasts about cybersecurity. This
exercise allowed us to be mindful of considering any sort of prediction
in our field, if we were attracted to it. We must have clear evidence
about the value of any trend under consideration. In an upcoming post,
we will address some trends we found appealing and with better support.
We will also return to the skin-in-the-game issue among others coming
from scientific scrutiny about forecasting or prediction.

We recently launched our “State of Attacks” 2020 Report. Click here
to read it. Among our results in
working with customers, you will find one key takeaway worth noting now,
in line with this post: continuous
hacking delivers more value. If
that is so, we could expect this to keep growing. We have evidence that
customers continuously testing the robustness of their software and IT
infrastructure do find more weaknesses and achieve a higher rate of
fixes.

We hope you have enjoyed this post, and we look forward to hearing from
you. Do get in touch with us!

References

1. Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security
   awareness campaigns: Why do they fail to change
   behaviour?
   arXiv preprint arXiv:1901.02672.

2. Sheeran, P., & Webb, T. L. (2016). The intention–behavior
   gap.
   Social and Personality Psychology Compass, 10(9), 503-518.

Recent Articles By Author

• Alert! ‘Invisible’ Doors Opened
• Cybersecurity as Strategy
• Ciberseguridad como estrategia

More from Julian Arango

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Julian Arango. Read the original post at: https://fluidattacks.com/blog/trends-2020/