Security fact or fiction? How to 'sanity check' cybercime news
Do a sanity check
For decision makers charting cybercrime headline hysteria, the only option is to double-down on recognizing signs of BS in news about costs, losses, or threats.
It's crucial to do a "sanity check" when the news is based on claims in a survey, report, or study.
Look for the source
Is what you're reading based on a survey or a study -- or just a report issued by a company?
Whose input is the information based on: A company, a company's clients, or a sampling of the general population?
Is the survey is valid?
Is the methodology clearly disclosed? What is the sample size? Does this seem reasonable?
Beware of unchecked and unverified statements and statistics
Is the source, and the information, verifiable in any way?
Look out for fair reporting
Is the information presented with the other side of the story or counterpoint research?
Does the source of the information have a personal stake involved?
Is there a personal or professional interest from the reporting source? Is the reporter a "fan" of a person involved in the research, or have a company preference? Does the news outlet tend to favor or decry anyone, or anything?
Does solution come from only one company?
Look at the problem a news story is presenting, and seeing how the article proposes a solution: If the solution comes from only one company, then you're looking at a company product.
Does threat apply to you?
Does this threat actually apply to your organization, your customers?
How likely?
Is this an attack that can only happen under highly unusual circumstances?
Is it old news?
Has the threat or issue been resolved, yet this information is buried in the article?
Really?
Is the phrasing "are affected" (an active attack) or "could be affected" (a possible attack if you squint and angle your head while looking at the problem)?