Even a casual observer of computer security must notice the prevalence of FUD: non-falsifiable claims that promote fear, uncertainty or doubt (FUD). We are bombarded with warnings of digital Pearl Harbors, the unstoppability of online hackers, and accounts of a cyber-crime problem that is said to rival the drug trade.
FUD sometimes masquerades as useful information though it is often “not even wrong,” in the sense of making no clear claim that can be checked: exact figures for undefined quantities, dollar estimates based on absurd methodology, and astonishing facts that are traceable to no accountable source. FUD provides a steady stream of factoids (e.g., raw number of malware samples, activity on underground markets, or the number of users who will hand over their password for a bar of chocolate) the effect of which is to persuade us that things are bad and constantly getting worse. While the exaggeration of threats hardly began with computer security, the field has certainly made FUD its own.
It may seem innocent enough to exaggerate in the service of getting people to take security more seriously; but we believe that reliance on factoids leads government and industry to spend wastefully and researchers to focus on the wrong questions. The scale of the FUD problem is enormous, and we argue that it prevents the establishment of security as a more scientific research discipline