False Flags: The Art of Making Context-Dependent Cyber Security Decisions

Defining what is "cyber safe" and what is "cyber secure" is not a simple clear-cut task. In different business contexts "cyber safety" and "cyber security" will be defined differently. Furthermore, it is incredibly difficult to arrive at objective definitions of these concepts as your judgement about cyber security (irrespective of whether you are a business owner, manager, employee or a cyber security expert) will influence your perception of safety and security as well as your understanding of what should be done to increase cyber security.

Flags as Reference Points

In order to understand this context-dependency, the false flags analogy helps to illustrate how business goals and cyber security usually interact within the organisations. I have a colleague, who is a medieval war history professor and once he told me told me a very interesting fact about medieval battles. It turns out that when knights fought against each other in a major battle, they used their military flags (or standards) as reference points to help them co-ordinate their actions. Here is how this worked.

Imagine that you are in the middle of a medieval battle. You are wearing an armor. It is heavy and the visibility inside your helmet (e.g., sallet) is incredibly low. It is also very noisy around and you are riding a horse, which adds yet more uncertainty to the entire operation. So, in principle, you are operating in an incredibly uncertain environment with almost zero visibility. How can you possibly know (i) how well your troops are doing and (ii) how to coordinate with others in common actions? This is where the standard-bearer comes in. Since you cannot hear or see much, your best bet is to locate the flag. That way you can tell whether your side is winning, losing, or needing to regroup.

In the medieval age, since the standard-bearer had almost no means to defend himself, he was usually the first target for the enemy troops as capturing the standard not only had a symbolic meaning, but left the enemy practically disoriented on the battlefield. The beauty of the battle standard as a reference point was that it revealed to those in the middle of the battle the real state of affairs.

Cyber Security Flags and False Reference Points

In cyber security, we also determine a set of reference points (flags) which should help us to trace the compromises or attacks. We are deliberately using the word should because the fact that these flags exist does not mean that they are real. For example, if your organisation has a system of firewalls (or if you are applying a perimeter-free zero-trust approach, as system of verification and validation points), they could act as flags. Yet, it is possible to compromise the system without even touching the firewalls (or verification and validation points). In this case, the flags which you have set up and identified are useless for the formulation of an effective and agile cyber security strategy.

This means that our perception of security often operates in a system of false flags. False flags are often a product of context dependency neglect (i.e., the inclination to adopt universal solutions rather than solutions tailored to a specific context) as well as psychological biases (e.g., these biases could come from previous experiences where being a subject of a particular attack alters your perception of the likelihood of a similar attack in the future).

Take Aways

Cyber security decisions are very context-dependent and may be affected by various organisational, algorithmic as well as human biases. Therefore, it is incredibly important to constantly test a set of flags determined by your organisation to see whether these flags still matter and to what extent noticing them helps you to reach your cyber security goals. Coming back to our firewalls example, it would be silly to invest large amounts of money into firewall solutions if major cyber security risk for your organisation comes from phishing or spear phishing. But to identify the waste in your cyber security system and to realise that your flags might be false, you have to constantly question these flags.

#perceptions #cybercrime #cyberrisks #cyberthreats #datasecurity #cyberattack #hacking #risk #infosec #security #referencepoint #phishing #cyberperceptions #informationsecurity