Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us

This is gray book cover with a fox in the corner lighting a flashlight to reveal small shapes and images.

Book written by Eugene H. Spafford, Leigh Metcalf and Josiah Dykstra

Book review by Helen Patton

Bottom Line

I recommend this nonfiction book for the Cybersecurity Canon Hall of Fame.

Review

In the spirit of full transparency, know that I would read anything written by the three authors (Spafford, Metcalf, and Dykstra) and expect to be amazed by their knowledge and wisdom. This book was no exception, AND they have managed to capture the unmeasurable essence of why cybersecurity is such an intriguing and exasperating profession.

“We want cybersecurity to be effective, informed, and reasonable,” (xxv) they note. They are concerned about misunderstandings and focus on where people think they are informed. Their goal is to “tackle decades of accumulated folk wisdom head-on” - and they do. Four key principles guide the whole book:

  • Cybersecurity is not merely about protecting computers and networks
  • Cybersecurity involves computers: however, cybersecurity is primarily about humans
  • Sometimes computers malfunction or people make mistakes
  • Cybersecurity is human-centric

With these principles in place, the authors reach back in time to provide a forward-looking way of examining the cybersecurity profession and the people within it. 

This timeless book is a worthy candidate for the Cybercanon Hall of Fame.

About the Book

The book has four parts – general issues, human issues, contextual issues, and data issues. If a reader does nothing else, just reading the chapter sub-headings (each one a myth) provides an industry guide for practitioners and lay-people alike.

In the “General Issues” section, the authors cover “what is cybersecurity?” and “what is the internet?”. On the way, they explore myths such as “everyone knows what “cybersecurity” means” and “we can measure how secure our systems are.” As a security professional, I laughed out loud at some of the headings and was impressed with the research that explained why these myths exist in the first place. This section focuses on the industry-wide myths that we all deal with.

Part 2, the “Human Issues” section, covers faulty assumptions and magical thinking, fallacies and misunderstandings, cognitive biases, perverse incentives, and problems and solutions. They tackle such myths as “best practices are always best” and “the goal of security vendor is to keep you secure,” among many others. This section gets at the heart of why cybersecurity is not a technology problem, but a human one, and provides important insights and resources for security professionals to consider.

In part 3, the authors cover “contextual issues” such as analogies, legal issues, tool myths, vulnerabilities, malware, digital forensics, and incident response. This section reveals myths such as “the law is on my side, so I do not need to worry” and “signed software is always trustworthy”. Possibly the book’s most technical section, still the authors leave most of the technical details to other resources and focus instead on how to think about these issues through a reasonable and scientific lens.

Lastly, part 4 covers data issues: statistics and visualization. Myths include “probability is certainty,” “correlation implies causation,” and my current favorite “artificial intelligence and machine learning can solve all security problems”. As in the other sections, the authors provide wonderful examples to illustrate their points and further reading to go deeper.

Finally, the authors wrap up their book with a section on hope. Their main point? “Everything discussed in this book can be avoided or mitigated through careful education, deliberation, and reasonable procedures.” They stress being humble, recognize that we’re all human and error prone, and to extend patience and grace to others. They also note the role of documentation as critical to mitigating some of the myths (but won’t avoid all pitfalls). 

They identify these meta-myths:

  • Cybersecurity is easy
  • Cybersecurity is an end state
  • Cybersecurity is doomed
  • I can tell what to trust online.

So, they recommend:

  • Do not overgeneralize
  • Prioritize people first
  • Slow down
  • Keep Learning

“Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us” by Eugene H. Spafford, Leigh Metcalf, and Josiah Dykstra is a tour de force of cybersecurity history, wisdom, and advice. A worthy candidate for the Cybercanon Hall of Fame, it provides a security professional with actionable resources to manage any career stage and any security dilemma. It also offers non-security people a way of understanding cybersecurity and how it impacts all our lives.

Tags: GovernanceRisk and ComplianceHistory and CultureHuman FactorsTags: Security Leadership / Management; Governance