Finding The Hidden InfoSec Story

The Placebo Effect in Information Security

Photo Credit: @lattefarsan via Compfight cc
Photo Credit: @lattefarsan via Compfight cc

A placebo is an ineffectual treatment for a medical condition that seems to be a real medical treatment. It could be a pill or some other type of treatment that in reality is fake. What all placebos have in common is that there is no active substance in them meant to affect and/or improve the medical condition.

Consider an example where a new medication used for treating migraines is tested on 10 people. In this study, 5 people are given a real pill (the actual treatment) and the remaining 5 are given a placebo (the fake treatment), an inactive substance like sugar and distilled water. All 10 people believe they were given the real treatment. Upon the completion of the study researchers then compare the effectiveness of the real medication and the placebo.

In some cases, patients that are given a placebo will have a response to it like a perceived or an actual improvement in their medical condition. This occurs because the person has the expectation that it will be helpful for their condition. This response or phenomenon is known as the “placebo effect”.

So, what can we, as security professionals, learn from the placebo effect? Typically organizations implement a defense-in-depth – also known as a layered security approach – to improve their security posture. To successfully achieve multiple lines of defense solutions such as an IPS, IDS, and DLP are purchased and implemented within an enterprise. Many organizations believe that they are secure because they have implemented these security tools that they believe are designed to detect and prevent cyber-attacks. The reality is that these tools only enable your security capabilities, but alone, they ultimately do not make your organization secure. This is where many organizations experience the placebo effect as they have the expectation the tools will make their organization secure and (for the lack of a better term) “unbreachable”.

Each week brings news of some new data breach and cyber-attack. The recent, high-profile data breaches prove that even the biggest corporations are not immune to cyber-attacks. Most of these organizations were compliant with multiple regulatory standards, but were still breached. Many organizations falsely believe that they are secure because they are in compliance with certain standards and/or regulations. This is another example where organizations experience the placebo effect: their expectation and misunderstanding that compliance is equal to security. The reality is that your organization can be compliant with multiple regulatory standards, but still be very insecure.

In today’s digital age we cannot afford to experience the placebo effect in information security. Hackers can make as many mistakes as they want, but security professionals do not have that luxury. One mistake could lead to a data compromise. Security tools must be monitored and properly tuned on a regular basis. Security processes must be developed, followed and on-going. In many data breaches, the processes within a security programme have failed to properly recognize an attack. The information security programme is a living thing – it is never done. The focus of your efforts must be on security and not compliance, but security efforts can always be mapped to meet certain compliance and regulatory standards.

Your overall information security programme puzzle must be assembled the proper way in order to be efficient and proactive. Just as a jigsaw puzzle does not have a recognizable picture until you put all the pieces together, the information security programme is not complete and effective until you have all the security pieces in place – security education & awareness, incident response, vulnerability management, policies, standards, and processes. After all, you can have all the jigsaw puzzle pieces in front of you, but still not see the picture. Look at your information security programme from the same perspective. You can have all the security tools implemented, but still have an unrecognizable information security programme that is susceptible to the placebo effect.


This analogy is also available in Serbian, Croatian, and Serbian Cyrillic:

Flag_of_Serbia SMALLFlag_of_Croatia SMALLCyrillicFlag_of_Serbia SMALL2

Author: Zoran Lalic

Share This Post On