“H1N1 was totally overblown. Nothing really terrible happened. No one suffered a pandemic and the resulting deaths were less in number than the deaths from the regular flu.” That’s a paraphrase of what some colleagues said to me. This sentiment is now echoed in the mainstream press as the WHO reacts to criticism that the pandemic hype was generated by the drug companies to sell flu-shots. In short, it wasn’t a real pandemic because nothing happened. It’s the same logic behind many criticisms of information security. It’s also based on a semantic fallacy rather than on a mistake in the underlying logic.
Logically, the argument runs like this:
If “x conditions exist” then something really bad should happen
Nothing really bad happened
Therefore “x conditions” did not exist
In it’s pure mathematical form (technically called Modus Tollens) it can be represented as such:
if p -> q
To flesh this out a bit:
If the current conditions exist such that H1N1 should massively spread, then there should be a pandemic
We did not have a pandemic
Therefore the conditions did not exist such that H1N1 should massively spread
The conclusion is that if the conditions did not exist then it must have been another reason — such as drug companies — that pushed the pandemic hype. The mistake in reasoning is to believe that the conditions in the first part of the If/Then statement cannot change. By distributing a vaccine the conditions of the “If” were altered. The same fallacy applies to information security.
Next time someone complains that “There is no way to tell if any of this information security really does anything” the Information Security Professional has a proper, logical and mathematically sound reply. “We changed the environment so that it would be much less likely to happen.” Logically speaking it’s as though we changed the variable ‘p’ to something else so that a different condition now exists. It’s necessarily so.