The Number Games: Seeing through the numbers in cybersecurity hype

So many breaches! Such dramatic graphs! So much malware! Such huge numbers! Do cybersecurity ‘Number Games’ force us to confront the scale of contemporary cybercriminality, or merely lure us into shrugging off our own cybercrime experiences as inconsequential and unimportant?

No one quite knows where the famous saying ‘A picture is worth 1000 words’ comes from, or who first worked out that the multiplier was exactly 1000, and not, say, 874, or 1024. Indeed, many different languages share this equation, as if it were a universal standard capable of independent measurement anywhere in the world, like the speed of light in a vacuum, or the probability of guessing the winning numbers in a lottery with, say, 6 balls picked out of 59.

(In case you’re wondering: exactly 299,792,458 metres per second, as a matter of definition; and exactly 1 in 45,057,474, which we’ll explain on request if you write to amos@solcyber.com.)

Whether we like it or not, our lives are full of important-sounding numbers like this. Some of them are hard and immutable facts that underpin our scientific and engineering endeavours, and we tamper with them at our peril; others are imperfect or incomplete measurements that are open to misinterpretation and misrepresentation, and we accept them at our own risk. As you can imagine, it’s vital that we learn to tell the difference, and to calculate accordingly.

For example, on a truly flat surface, any square that’s 10 miles along each side, as Washington DC was originally supposed to be (let’s treat any DC-sized part of the whole earth as if it were a flat sheet of graph paper), will be 40 miles to walk around. And if you draw a circle that exactly fits into a hypothetical District of Columbia and walk it, you’ll cover 31.416 miles.

(Amusingly, perhaps, the mile is defined in terms of the inch; the inch is defined in terms of the metre; and the metre is defined, in a circular-sounding way, as the distance you come up with if you say that the speed of light is 299,792,458 metres per second, as we did above.)

Universal numbers

Importantly, those equations for the square and circular versions of the US Federal District hold for all squares and circles, because unit squares are always 4 units in perimeter, and unit circles are always 3.1416 units in circumference. More precisely, the multiplier for the circumference of a circle is a number known as pi, or π, that can’t be written exactly as a fraction, although 22/7=3.142 and 355/113= 3.141593 are usefully close for approximate calculations.

Unfortunately, because we’re taught about the importance of definitions of this sort at school, and have equations such as C=2πr and A=πr² drummed into us from an early age, it’s easy to infer numerical precision and correctness where it doesn’t exist.

For example, is a gasoline-powered car that can do 45 miles per gallon (mpg) better than one that uses 6 litres per 100 kilometres (l/100km)?

That question is trickier than it sounds. Just to handle the arithmetic side of it, we need to be careful not to be deceived by the fact that higher mpg readings come out as lower l/100km values, because their units are fractions that are upside-down versions of each other, with one dividing distance by volume, and the other dividing volume by distance.

We also need to remember that although the world now shares a common definition for the mile, there are still two distinct types of gallon, because the British sneakily increased the size of theirs in the early 19th century, essentially for marketing purposes, by bringing the UK pint into a more competitive comparison with the half-litre, a widely used measure in Europe at the time.

Even more importantly, we have to remember that a fuel consumption measurement such as miles per gallon isn’t universally applicable or uniquely defined like the speed of light, because there are so many factors involved, and so many exploitable differences between an artifical test and our own real-life experience. The idealised Washington DC that was supposed to have a 40-mile perimeter experienced similar uncertainty, because political wrangling got in the way of geographic simplicity.

Simply put, a complex matter, such as how well one particular sort of car might fit into your life, can’t usefully be compressed into a single numeric reading, no matter how much of a popular touchstone that reading has become as a way of simplifying comparisons.

The Number Games

Unsurprisingly, we have a similar problem with Number Games in cybersecurity, and we have done for decades.

In the 1990s, for example, the more vociferous cybersecurity companies claimed supremacy based on how many viruses they reported in the ‘About’ screens of their products, even though this was a useless metric because everyone counted differently. Indeed, measuring by numbers alone meant that a product that could reliably mop up new malware proactively, without collecting samples or counting them at all, would appear worse than a product that had a high virus count because its vendor was always falling behind and then scrambling to catch up.

We see a similar level of drama in cybersecurity reports today, for example in data breaches, with the ‘number of breached records so far’ often trumpeted as a metric for how we should measure our own risk. You probably saw recent headlines about the ‘biggest breach ever’, with some 26 billion records apparently exposed, and wondered what this number really said about how a data breach might affect your business.

The problem, of course, is that breach number counting done in this way quickly turns into what computer scientists call an order N-squared problem, which is what happens when an algorithm doesn’t take twice as long when confronted with twice the data, but four times as long, and takes nine times as long when there is thrice the data, and so on.

Instead of counting 1 new record breached + 1 new record + 1 new + 1 new = 4 new records, you include the old ones over and over, giving you 1 + (1+1) + (1+1+1) + (1+1+1+1) = 10, and the numbers diverge ever more dramatically from there. Likewise, every dud or dead record in the ever-growing cumulative breach bucket also gets counted over and over again, making the count go upwards doubly unrealistically.

What to do?

One school of thought says that this sort of “higher is bigger and bigger is better” attitude forces us to confront the scale of contemporary cybercriminality, and therefore that these Number Games are worth playing. But I find this approach hard to convert into anything more actionable than simply, “Don’t get breached,” which most of us aren’t setting out to do anyway.

I also dislike the thought that by seeking hype and drama in our cybersecurity numbers, we risk making individual cyberintrusions sound inconsequential or unimportant, as though leaking customer secrets or exposing the digital identities of your staff can be shrugged off as long as it’s not every client or all your employees.

Cybersecurity is about much more than headline news and scary-sounding numbers, for all that both of those things are part of the historical record.

When you’re searching for a cybersecurity solution, especially for a security service provider whose job is to help you to evaluate, confront and manage your own risk, don’t give up because the Number Games make cybersecurity sound impossible, and never assume, because the numbers sound so big, that you must be too small to be on the cybercriminals’ radar.

Look for a cybersecurity partner who still has that human touch, and who will work with you, not merely for you, and who will help you keep your eyes firmly on the cybersecurity issues that are most important to your business, not merely wave the most dramatic cybersecurity stories in front of you.

Just like Washington DC, few businesses are perfect squares, no matter how straightforward and rectilinear they seemed when they started out…

PS. If there are any knotty topics you’re keen to see us cover, from malware analysis and exploit explanation all the way to cryptographic correctness and secure coding, please let us know. DM us on social media, or email the writing team directly at amos@solcyber.com.

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!