Vendor math doesn't add up on federal security priorities

According to a new report sponsored by an IT performance management software vendor, federal agencies aren't spending as much as they should on battling internal threats -- the kinds of threats the vendor's software is designed to help protect against.

But the recommendations were based on misleading interpretations of the results of the survey of 200 federal IT professionals who were asked about both internal and external threats and their security spending priorities.

"What was surprising was that they identified careless and untrained insiders was one of the biggest threats, where the investment was focused was on the external side," said Chris LaPoint, VP of product management at Austin-based SolarWinds Inc., the vendor that sponsored the survey.

He shouldn't have been surprised, since the question was rigged from the start.

Respondents were asked to choose which of eight different threats was of concern to them -- two of those threats were internal and six were external.

That is, respondents were choosing between malicious insiders and careless insiders on one hand, and six different external groups on the other -- ordinary hackers, foreign governments, hacktivists, terrorists, for-profit criminals, and industrial spies.

Careless insiders had the most responses, at 53 percent, followed by the general hacking community at 46 percent, foreign governments at 38 percent, hacktivists at 30 percent, then malicious insiders at 23 percent, and finally terrorists, for-profit crime and industrial spies.

But using this question to demonstrate that careless insiders were the biggest threat was a case of comparing apples to oranges. After all, if the insiders were split into six categories as well, instead of two, it's much less likely that they would have come up on top.

And, in fact, the implications that the vendor drew from this question -- that federal IT professionals were more worried about careless insiders than anything else -- were contradicted by other survey responses.

However, instead of admitting that the question was rigged to favor internal threats, LaPoint argued that there was another explanation for the contradiction.

"One might justify this discrepancy by posturing that malicious external threats are more damaging, even if they aren't the largest source of threats," he said.

One of those contradictory questions asked how much agencies' concern about particular threats increased or decreased over the past two years.

Concern about malicious external threats increased for 81 percent of the respondents. Concern about malicious insiders increased only 52 percent, and concern about careless insiders increased 53 percent.

Meanwhile, spending to battle malicious external threats increased by 69 percent, and spending on malicious and careless insiders rose by 46 and 44 percent, respectively.

"A greater proportion of respondents indicate concern and investment of resources has increased significantly or somewhat for malicious external threats relative to insider threats," confirmed Laurie Morrow, the analyst at Market Connections who oversaw the study. "Investment in resources lags slightly behind concern for all three categories of threats."

So that's about reasonable -- spending lags behind concern pretty much everywhere.

The vendor's press release second highlighted statistic is another misleading one, that "64 percent believe malicious insider threats to be as damaging or more damaging than malicious external threats."

At first read, that makes it sound like respondents were more worried about insiders than outsiders.

In fact, only 26 percent percent thought that insiders were potentially more damaging -- 37 percent thought that outsiders were, and 38 percent thought the two threats were about equal.

Notice the slight of hand?

Those who thought the two risks were about equal were lumped in with those who were more worried about insiders. If they were lumped in with the other camp, the quote would have been "75 percent of respondents believe malicious external threats to be as damaging or more damaging."

How does the vendor explain this? By arguing out that the statements was technically correct -- and that even if only a quarter think that insiders are a bigger threat, it's still an important number.

"More respondents see malicious external threats as more damaging than malicious internal threats," admitted LaPoint.

"But the majority see the two as equally damaging, and still more than a quarter see insiders as more damaging," he said. "Those that see insiders as more than or equally as damaging as outsiders are, in our opinion, quite high, and we'd think the concern and investment to prevent them would be correspondingly higher."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssoftwareSolarWindsdata protection

More about Inc.SolarWinds

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place