FUD (the acronym for Fear, Uncertainty, and Doubt) is a marketing methodology sometimes attributed to IBM’s sales tactics in the 1970s: IBM is safe, anything else is not. Note that fear, uncertainty, and doubt are terms straight from the phisher’s handbook of emotional triggers — suggesting a dubious and often ignored connection between FUD marketing and cybersecurity’s bête noire, social engineering. It is important to understand FUD to ensure we are not engineered.
FUD marketing usually focuses on a very large numerical figure. That figure is not FUD — it is just a number. It is the use (or abuse) of that number by marketers that may or may not be FUD. It is only FUD if the number is dubious or incorrect — if it is correct, marketers’ use of the number is just good marketing. The implication here is that buyers must pay close attention to the derivation of large numbers received from marketers to avoid being the victim of social engineering.
As an example, we’re going to look at the source and use of one particular large number (that cybercrime costs the global economy an annual $8 trillion and rising) as an example to illustrate the difficulty in attributing and calling FUD; and will then examine the general perception of FUD in cybersecurity. (It is worth noting that this general perception of FUD does not distinguish between exaggerated large numbers – better described as FUD fodder – and FUD marketing itself.)
Cybercrime costs the global economy $8 trillion?
In July 2023, Cybercrime Magazine (part of Cybersecurity Ventures) published the claim that cybercrime is predicted to inflict damages totaling $8 trillion USD globally in 2023, growing to $10.5 trillion by 2025. Since then, this figure has reverberated across the internet repeated by other publications and marketers. It was repeated on LinkedIn by Steve Morgan, founder of Cybersecurity Ventures and Editor-in-Chief of Cybercrime Magazine: “Damages are expected to cost $8 trillion this year, according to Cybersecurity Ventures.” Geoff Belknap, CISO at LinkedIn, responded, “I am once again begging people to ask harder questions about facts and figures and where they come from. $8 Trillion USD in damages would make ‘CyberCrime’ the 3rd or 4th largest economy in the world by GDP and the second or third largest industry, ahead of oil and gas, by revenue.”
This is the crux of the matter: knowledge should precede belief. The problem in this example is that details are only loosely specified: “Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm,” writes Cybercrime Magazine.
On their own, these details are not enough to validate the result: how do you quantify the cost of IP theft; how do you quantify the cost of reputational harm? Remember that this needs to be across all affected companies, in all verticals, of all countries across the globe. We cannot say the result is wrong, but we absolutely need to understand how it is reached.
We asked Steve Morgan: “Are you able to give me some details on how this figure was determined?”
The TLDR to his response is that he provided no additional explanation on determining the $8 trillion figure. He did suggest, however, that the bigger criticism he gets is this figure is too low, “to the point of a few journos telling us about the Computer Crime Research Center’s figure of $12.5 trillion by 2025, and [sic] Statistica who is probably the best known, and puts their figure around $14 trillion although that is by 2028.”
We checked both. The Computer Crime Research Center’s figure provides even less justification for its conclusions, focusing mostly on third-party reported threats rather than actual costs incurred. Statista does not explain how it reached its figures, instead referring to the same definition of cybercrime costs from Cybersecurity Ventures we mention above.
In short, it is impossible to personally confirm or disprove the $8 trillion figure — so we’re reliant on opinions. We asked around.
Ben Rothke is an information security manager based in New York City. He told SecurityWeek, “Regarding Cybersecurity Ventures, they don’t seem to have economic and financial analysis expertise. Looking at their core staff [from their website], they don’t have anyone with any significant economic, accounting, or actuarial knowledge to work on creating effective and independently verifiable financial figures.” He added, “As to the figure that cybercrime costs $8 trillion annually, no independent or evidence-based data supports that.”
One concern is that the global economy couldn’t sustain such a loss. “According to the World Bank, the world GDP in 2022 was $101 trillion” he continued. “That would mean that cybercrime at $8 trillion would be 8% of the world GDP, which is a staggering figure that would wreak economic havoc.” He suspects that like reports of Mark Twain’s death, this figure is ‘greatly exaggerated’.
Shuman Ghosemajumder, founder and CEO at stealth firm Reken, but formerly global head of product, trust & safety at Google, said, “I think $8 trillion in direct hard dollar losses per annum today does not seem likely. That’s about the size of the entire GDP of Germany and Japan combined. $8 trillion is, by some estimates, around the entire size of the worldwide IT industry. So, the global contribution of all technology combined being effectively wiped out by cybercrime doesn’t seem likely.”
But he comes back to our basic sticking point — we don’t know how the figure has been calculated. “If it factors in a number of indirect losses (e.g., productivity, long-term effects, mental health, health care issues, loss of competitiveness) then you get closer. I’m not sure they do that though.”
Martin Zinaich, CISO at the City of Tampa, summarizes the basic problem: we can neither prove nor disprove the figure. “I’m unsure of how to reach that number or validate it. Yet if we were to include not just the direct dollar spend for solutions (IPS, EDR, MDR, SIEM, firewalls, SOAR, et al.) and add the soft dollar costs of time taken to train employees, red/blue team exercises, pen-tests, PCI efforts, insurance, event recovery, secure coding and code reviews, SOC teams, patch deployments, security conferences, training and certification and more… at a global scale, that number might not be as far-fetched as it sounds.”
Helen Patton, Cisco’s cybersecurity executive advisor, questions the purpose of the figure. “I don’t know what to do with this information, even if it’s accurate. The press release says the number includes everything up to and including ‘reputational damage’, which are very wobbly numbers at best – so this is a high water mark. It’s meaningless to an individual organization – there is no business case for security that would use this number. So, I suspect the audience for this is policy makers in government and think tanks. These groups are already well aware of the societal damage of cybercrime and cyber espionage – so the number doesn’t move the needle for that group either. With all this, yes, it’s FUD – because all it does is add to the stressful atmosphere.”
Here’s the problem: we can have opinions, but we can neither verify nor reject the $8 trillion figure, nor even understand if it is relevant. We can, however, say it is not FUD — it’s just a number. But without knowing how it is compiled we can also say that the use of that number by marketers is clearly FUD marketing. $8 trillion is not FUD, but it is FUD fodder. Receipt of large numbers delivered without any verification should always be questioned.
The question then becomes, how widespread is FUD marketing within cybersecurity?
Does FUD exist in cybersecurity, or is FUD itself FUD?
“Fear, uncertainty and doubt – FUD – does exist in cybersecurity,” says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University. It is the practice of spreading information or making claims that are intended to instill fear, uncertainty, and doubt to influence opinions. “For example,” he adds, “security companies can indeed exaggerate the severity of a particular threat in order to convince potential customers to purchase their security solutions.”
FUD is a fact of sales and marketing life for a subset of vendors in the cybersecurity field, suggests Mika Aalto, co-founder and CEO at Hoxhunt. “For example, if a breach has happened due to a misconfiguration, a vendor will use that breach in their marketing outreach immediately to scare a potential buyer into purchasing their services – or else,” he says; adding, “In my opinion, this is lazy marketing and sales activity.”
It would be wrong, however, to lay all the blame on security vendors. Curran includes news outlets (to increase readership), government (to justify unpopular legislation), hackers (for personal kudos) and security experts (to self-justify) to the basic list of FUD perpetrators. The media is far from exempt. “Sensationalized reporting on cybersecurity incidents or vulnerabilities by some media and news outlets can contribute to FUD as they may sometimes focus on worst-case scenarios rather than mitigation strategies.”
Is FUD always a bad thing?
“It is very difficult to ascertain where FUD starts and ends as real-world threats do indeed exist,” continues Curran. The problem is the underlying message is true: cybercrime is increasing, existing security controls are either unused or simply failing to stem the tide, and objective, scientifically proven global figures are almost certainly impossible.
“There is little doubt that cyberattacks are on the rise,” adds Venky Raju, field CTO at ColorTokens. “New evidence comes to light daily, whether consumers fall to phishing scams, enterprises are breached and doxxed, or government agencies are hit with ransomware. Many security professionals, and I, believe the numbers are larger and often go unreported… In conclusion, the FUD that exists is justified.”
The basic argument is that government regulation, current security postures, and the recommendation to implement basic security hygiene have all failed to halt the growth of cybercrime. In these circumstances, instilling the fear element of FUD is a valid approach to fighting crime. Fear is after all, a standard tool of government: for example, fear of non-compliance sanctions, monetary awards to whistleblowers, potential personal litigation against CISOs (as with SolarWinds), and the fear of child pornographers, terrorists, and money launderers to justify the elimination of e2ee encryption services.
Under these circumstances, that addition of FUD to improve the cybersecurity ecosphere could be seen as a potentially beneficial route of last resort.
There are, of course, two sides to any coin. “Numbers like ‘8 trillion dollars’ are going to ricochet around the internet because of how massive they appear,” comments Piyush Pandey, CEO at Pathlock.
“If figures like this help to shine a light on a topic that bears further scrutiny, then great,” he adds. “However, if figures like these distract from day to day risk management operations, then that becomes an issue.”
Explaining the continuing success of FUD
If something doesn’t work, people stop doing it. FUD in cybersecurity continues –it works. The question here is, ‘Why is FUD a successful cybersecurity marketing technique?’
Igor Volovich, VP of compliance strategy at Qmulos, thinks the technological background of cybersecurity operatives is important. “Uncertainty is the primary attribute of cybersecurity. Technologists abhor uncertainty. Thus, fear occupies their minds,” he suggests. “Into that opening enter the unscrupulous vendors and those who fund them, seeking to exploit the fear by offering a panacea.”
They do this repeatedly, at great profit, he continues, while doing little to stem the tide of cyberattacks crippling our digital economy. “The cycle repeats itself ad infinitum, with little capacity on the buy side and little interest on the sell side in making changes. Until CISOs evolve from technology buyers into risk strategists, our current trajectory will remain unaltered and unalterable.”
The problem, he believes, is that existing cybersecurity leaders are still fundamentally technologists in a world that requires generalists. “The cybersecurity industry – and cybersecurity leadership echelons – remain mostly occupied by technologists, not generalists. When this type of personality gets presented with macro-level uncertainty, it has a hard time processing and adjusting. Fuzzy thinking, unbounded creativity, and comfort with ambiguity are almost antithetical to their way of thinking.”
A CISO is now expected to be more than a technologist. “People mostly get to those spots by being really good at managing technology, but when they get there we ask them to start thinking about risk in the context of their business, to drive cross-org synergies, to marshal resources across the enterprise and beyond, and to engage many other ‘soft skills’ actions they never had a chance to develop – while the world around them constantly shifts.”
Neither the security industry nor government regulations help the CISO make the necessary evolution from technologist to business technology generalist. “We continue to rely on outdated models of capturing our risk posture through manual data collection and basic survey methods poorly disguised behind the Potemkin village facade of fancy UI and so-called ‘automation’ – which accomplishes little in the way of tangible value.”
Nor do regulations help. “Compliance is cracked in too many places to count and demands an overhaul if we’re to truly hope to mount something resembling a meaningful opposition to the ever-growing cyber threat instead of continuing to tilt at windmills.”
It is this background of requiring a CISO to operate outside of his or her natural comfort zone, to rely on security controls that look good, promise more, but deliver less while navigating a swamp of confusing and sometimes contradictory compliance regulations, that allows the FUD merchant to prosper.
“The sooner we realize that our entire model of cyber risk management is divorced from reality, that we have accepted the notion that opinions about the state of our systems, networks, and data are tantamount to facts – if only stacked high enough, or so it seems the logic goes – the sooner we can start to ask the real questions: How do we know what we know about our security posture? How do we know and credibly defend the risk mitigation value of every dollar of cyber technology spend? How do we gauge the security performance of an organization other than counting how many breaches have made the news?”
We need to match FUD marketing with genuine known facts.
Fighting FUD
The radical overhaul of how to approach cybersecurity proposed by Volovich would do much to harden the industry against the FUD merchants. If it ever happens, it will happen slowly. Meanwhile, CISOs are left fighting FUD in the trenches right now with little external support.
“What the informed buyer needs,” says Gareth Lindahl-Wise, CISO at Ontinue, “is to be able to recognize and separate the ‘lies, damn lies, and statistics’. The less scrupulous FUD merchants will continually be looking for ways of ‘market making’ by promoting (and self-promoting) particular aspects of the cybersecurity world – be those products, services or sometimes column inches.”
The principle is simple and well-known: if something appears to be too good (or big, or bad) to be true, it is almost certainly false. “Always, and I mean always, look at the references for bold claims on statistics. Be wary of claims by lesser-known organizations that don’t cite references to data. Social media algorithms can easily lead to a bubble effect where the same poor source of information is reposted again and again giving an undeserved sense of credibility.”
Aalto points to the tactical similarity with social engineering. “They play on similar emotions surrounding fear, uncertainty, urgency, and consequences if a desired action is not taken. Just as cybersecurity-savvy people learn to think before they click on a suspiciously fear-intensive message, cybersecurity professionals would be well advised to carefully consider their options when confronted with heavy FUD from an aggressive vendor.”
CISOs would benefit from FUD awareness training in the same way that users benefit from phishing awareness training.
Curran couches his warnings and advice about FUD in more temperate terms, while still delivering the same conclusion. “While many reputable cybersecurity vendors provide valuable products and services, it is important to remember that they are still businesses with their own interests, including making sales and generating revenue. It is best practice to seek independent sources to verify the claims made by vendors,” he said.
This verification could come from industry experts, reading reviews, and checking for third-party certifications or evaluations. But always, he adds, “We should be cautious of sensationalized or alarmist language.”
Fighting FUD is a bit like zero trust: verify before you believe anyone or anything.
Related: Fighting Cyber Security FUD and Hype
Related: Sophos Study Leads to FUD-based Headlines
