Putting Breach Awareness into a Historical Context
Currently, not a day goes by without a major breach being reported by news outlets. But while many people expect this sort of reporting to increase greatly in the future, in this briefing we are going to argue the opposite.
When the first cars became available to private citizens, every crash was local news. A car crashing into a tree triggers questions on whether they are too fast. A car crashing into a horse carriage triggers questions on rights of way. A car fatally hitting a pedestrian triggers questions about the safety of heavy vehicles.
But how many car crashes - even deadly ones - have you heard about recently? There will be some, certainly. Most of them involve famous people, extremely severe injuries, new technology such as self-driving systems or a general issue such as a flawed break design. In short, the news report isn’t about the car crash, it is about its secondary characteristics.
A regular “person loses control over their car and crashes into a tree, injuring one” story has virtually no chance of making the news for two reasons.
(1) It is just much too common of an occurrence to report. With thousands of daily crashes, a single crash is not relevant.
(2) The story doesn’t create an argument. Regular car safety rules have largely been agreed upon, so a single crash is not relevant.
The same thing is happening to infosec breaches.
From non-issue to oversaturation
As little as 10 years ago, infosec breaches were considered non-issues. Most countries had no mandatory reporting guidelines so a majority of incidents were simply swept under the rug.
Even in cases where breaches did end up in the news, the general consensus was usually a variation of “it’s only bits and bytes”.
However, as bits and bytes became more and more central to people’s lives, attitudes shifted. With shifted attitudes came mandatory reporting guidelines which for the first time made the catastrophic state of cybersecurity obvious to regular people. A panic ensured which is still ongoing. Since most people rely heavily on information systems in their daily lives but may not necessarily understand the technology whatsoever, any news or editorial will often fall onto fertile ground. In a way, reports on cybersecurity breaches are read for the same reason that reports on nuclear accidents or the spread of Ebola are: They cover a hard to conceptualize, yet extremely scary threats.
But as with all things, attention ebbs with time. People gain a better understanding of the technology which removes some of the mysticism around it. At the same time, the novelty goes away. You probably remember the first time that you realized you were affected by a breach and had to change your passwords. But at some point it just becomes business as usual. (Or, ideally, you start using password managers.)
Similar things can be said about reports on election interference or state actors probing the utility grid. No matter how serious a topic, humans lose interest in the repetitious cycle of similar events.
It is human nature to be fascinated with things that are new, relevant, obscure and scary. It is also human nature to quickly lose interest in anything that keeps repeating. While it may seem that reporting on cybersecurity breaches will sharply increase in the future we believe that the amount of reporting is close to or at its peak and will taper off over the coming years as news outlets stop reporting on breaches without secondary stories attached to them.