Where do they get these numbers?

From the Journalistic Approach to Statistics Department …
The source of this warmongering is
http://www.darkreading.com/security/intrusion-prevention/showArticle.jhtml?articleID=219401410

and Kelly Jackson Higgins uses the dramatic title

“Message From Hackers: Enjoy The Summer Break Because Winter Attacks Will Be Harsh”

Right.

Well he claims a survey of “hackers” (whatever that means) at DefCon17 carried out by Tufin Technologies leads him to believe that only one fourth of all hackers are malicious. This is according to 70% of of the unknown number of respondents, who in turn make up an unknown proportion
of the groups of people who may be called, by themselves or others, “hackers”.

In case you’re worried about taking that last-minute summer vacation and
leaving your IT staff a little short, relax (for now, anyway): Most
hackers are taking a break now, as well, as they gear up for a busy
winter season, according to a survey of hackers attending Defcon17 in
Las Vegas this month.

Malicious hackers make up less than one-fourth of the overall hacker
community, according to 70 percent of the respondents, who were surveyed
by Tufin Technologies at the world’s largest hacker conference.

Nor are we given a definition of what “malicious” means. Does this have to be unremitting evil of a fictional character like the leaders of SMERSH in the James Bond stories or the Evil Witch in “The Wizard of Oz”? How about a historically evil character like Genghis Kahn, Nero, or dare I say it, Stalin, Hitler or Saddam Hussein?

But “malicious”? Could that mean purposeful vengeance for some real or imagined (think: Fat Fredy and his cat); getting back at “The Man”, Big Government, or Big Business for some ill defined political or conspiracy theory riven reason. Or perhaps “collateral damage” arising from lack of care, lack of professionalism or simple incompetence
(http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/#).

I’m getting sick of marketeers making use of journalists like this, for that’s the real reason for this. Read the rest of the article and you’ll see its about Michael Hamelin, chief security architect at Tufin,
advocating what we all know: that compliance doesn’t mean security. If that’s your message, then say that, don’t dress it up in nonsense that makes use of meaningless statistics.

Reblog this post [with Zemanta]