Mention “Virus Bulletin” to someone who doesn’t happen to be in the information security business, like the Lyft driver who took me to the airport a few days ago, and you realize it can sound like an odd name for an information security conference. However, if you’ve been going to Virus Bulletin for a while - my first time speaking at “VB” was in 1994 - it sounds entirely normal. You know that the name comes from a printed bulletin about developments in the world of computer viruses that first appeared in 1989, mailed by post from Oxfordshire in England. You also know that Virus Bulletin is an excellent conference, one in which serious research is front and center, surrounded by ample opportunities to network with fellow combatants in the fight against malicious code and other cyber-badness.

Virus Bulletin 2015, taking place this week in Prague, is shaping up to be the largest VB yet, and if you’re a regular reader of We Live Security you already know that quite a few folks from ESET are on the conference agenda (thanks to the gracious efforts of my British colleague, David Harley, particularly gracious since he is not actually going to VB this year, taking a break after presenting more than a dozen VB papers since 1997).

Security people problems

I wanted to take a moment to highlight a couple of items at this year’s VB that I think are particularly interesting, starting with the information security skills gap, several aspects of which will be discussed at the VB session which my colleague Lysa Myers and I are hosting on Wednesday. The lack of people with the skills needed to secure today's increasingly complex and increasingly targeted information systems has been covered before on We Live Security. It intersects with another topic dear to our hearts: diversity in the technology workplace and the opportunities for women in information security roles.

Basically, organizations both public and private can't find enough people to fill important infosec positions. That is not good for those organizations or society at large. When you get a notice saying your personal information may have been exposed due to a security breach, bear in mind that this could be due to the custodian of that information being under-staffed in the security department, and not necessarily because they weren't willing to pay good money to hire the right people.

You will noticed that I'm using infosec for information security. This not just to save on keystrokes but also to parallel usage in the latest workforce report from (ISC)², the largest not-for-profit membership body of certified cyber, information, software and infrastructure security professionals worldwide (nearly 110,000 members in 160+ countries). The report, titled Women in Security: Wisely Positioned for the Future of InfoSec, puts a brave face on a depressing statistic: women make up a smaller percentage of the infosec workforce today than they did two years ago (10% today versus 11% in 2013).

On the plus side, there are more women in infosec now because the profession is growing, and the wisdom referenced in the report's title alludes to the fact that women are making their largest impact in governance, risk and compliance (GRC). The role of GRC is an important and growing one in the information assurance and cybersecurity ecosystem. The report indicates that one out of five women identified GRC as their primary functional responsibility, whereas for men it was one out of eight. Hopefully, this means more women will be in a position to rein in the organizational cyber-risk taking that too often contributes to breaches. I will have a few more words on why that might happen in a moment. You can download the survey report here: Women in Security (PDF).

Surveys and suggestions

Surveys and numbers related to security are something I’ve been studying lately (as in going to school to study, at the University of Leicester in England, virtually speaking). I wrote a paper for this year's VB proceedings titled “Sizing cybercrime” and will be presenting on that topic. Something I learned while poring over piles of cybercrime statistics is that you should not take them at face value. Very few survey results are presented with an appropriate level of transparency. For example, in your efforts to decide where to prioritize your organization's security spending you might read a report that seems to offer a representative sample of security incident data from 500 companies. But in reality the data could come from a lot less than 500 firms and be supplied by people with an agenda, reported by an entity with an axe to grind or product to sell. As for what constitutes a "security incident" who knows? Many surveys that have reported numbers for these are very vague about what exactly they are.

For a taste of what is wrong with the current state of measuring cybercrime consider this: governments are not making the same effort to report cybercrime as they do 'traditional' crime. Want stats on car thefts and bank robberies? Sure, the government has been keeping fairly consistent longitudinal data sets documenting those crimes. Want to know how much cybercrime companies in America have to deal with and what it costs them? Sorry, you'll have to ask a company that sells security services. Unless you are okay with data from 10 years ago, which is when the U.S. federal government made its one and only attempt to measure those things (in response to my inquiries, I was told it has no plans to try that again).

A lack of crime data is not just annoying to academic criminologists. Consider the two main inputs you need for risk management, bearing in mind that for many organizations risk management of information systems is required by law or regulation. You need to input the likelihood or probability of an adverse event and the impact of the event, in other words, frequency and cost. Good luck trying to get an objective read on either from the current crop of cybercrime statistics.

So instead of quantitative inputs you have to use qualitative measures, which are subjective and thus open to cultural bias. And that brings me to a couple of papers that are not being presented at VB but you may still find stimulating:

Reading these will acquaint you with the cultural theory of risk perception and a fascinating discovery which that theory facilitated. It turns out that one group of people consistently ranks risks lower than the rest of the population, namely: white males. The so-called “White Male Effect” has been discerned in numerous studies where people rate the “riskiness” of different activities and technologies. In other words, white males are less like to say: don't do that, it's too risky. This effect was found to persist even when all of the participants were well-educated scientists. And of course, we all know that in the U.S. and many European countries white males are massively over-represented in management roles; for example, 73.7% of CEOs and 70.5% of general and operational managers in the U.S. are male, and only 12.4% of CEOa are non-white (see 2014 BLS stats)*.

However, it is also true that in countries like the U.S. most of the information security professionals – the people whose warnings about cyber risks presumably went unheeded by management – are white males (90% according to the report cited earlier). A possible explanation is offered by further cultural theory research which indicates that a particular subset of white males – about 30% – consistently judge risks to be extremely low, skewing the overall male riskiness score. Could those be the guys running the companies that are not taking cyber risks seriously enough? And will the influx of women into GRC change the outcome of risk management meetings? Please stay tuned!

(Correction 9/30/15: when this article was first published yesterday it stated these figures incorrectly as 98% / 97% / 2.5% and we apologize for the error. While the correct numbers are 'better' they still show a gross under-representation of women, who make up 46.9% of the U.S. workforce.)