“H1N1 was totally overblown. Nothing really terrible happened. No one suffered a pandemic and the resulting deaths were less in number than the deaths from the regular flu.” That’s a paraphrase of what some colleagues said to me. This sentiment is now echoed in the mainstream press as the WHO reacts to criticism that the pandemic hype was generated by the drug companies to sell flu-shots. In short, it wasn’t a real pandemic because nothing happened. It’s the same logic behind many criticisms of information security. It’s also based on a semantic fallacy rather than on a mistake in the underlying logic.
Logically, the argument runs like this:
If “x conditions exist” then something really bad should happen
Nothing really bad happened
Therefore “x conditions” did not exist
In it’s pure mathematical form (technically called Modus Tollens) it can be represented as such:
if p -> q
~q
hence ~p
To flesh this out a bit:
If the current conditions exist such that H1N1 should massively spread, then there should be a pandemic
We did not have a pandemic
Therefore the conditions did not exist such that H1N1 should massively spread
The conclusion is that if the conditions did not exist then it must have been another reason — such as drug companies – that pushed the pandemic hype. The mistake in reasoning is to believe that the conditions in the first part of the If/Then statement cannot change. By distributing a vaccine the conditions of the “If” were altered. The same fallacy applies to information security.
Next time someone complains that “There is no way to tell if any of this information security really does anything” the Information Security Professional has a proper, logical and mathematically sound reply. “We changed the environment so that it would be much less likely to happen.” Logically speaking it’s as though we changed the variable ‘p’ to something else so that a different condition now exists. It’s necessarily so.
Popularity: 3%
One Comment
The Y2K effort (now a full ten years ago, can you believe it) is perhaps the most famous illustration of Ken’s point.
Y2K was a “non-event” and a “wasted effort” and a “false alarm” in the minds of many people.
Put aside entirely the absurd Y2K alarmists’ fears and predictions of world-wide technological collapse. No rational technologist accepted or believed these predictions anyway.
The fact is that there were real, genuine date-related “bugs” in our systems. They were pervasive, potentially disruptive and possibly ruinous for the conduct of business if ignored. We did not ignore them, we spent a couple of years finding and fixing them. Practitioners who know the extent of the remediation understand that it was necessary and appropriate, and that it was just in time — we could not wait until January 1, 2000 to begin to address the problem.
But in retrospect, because on that date there was no Y2K disaster, there are still people who believe to this day — with false logic — that the entire matter was a hoax.