I work in a corrupted industry, variously known as the “infosec” community or “cybersecurity” industry. It’s a great example of how truth is corrupted into “Truth”.

At a recent government policy meeting, I pointed out how vendors often downplay the risk of bugs (vulnerabilities that can be exploited by hackers). When vendors are notified of these bugs and release a patch to fix them, they often give a risk rating. These ratings are often too low, in order to protect the corporate reputation. The representative from Oracle claimed that they didn’t do that, and that indeed, they’ll often overestimate the risk. Other vendors chimed in, also claiming they rated the risk higher than it really was.

In a neutral world, deliberately overestimating the risk would be the same falsehood as deliberately underestimating it. But we live in a non-neutral world, where only one side is a lie, the middle is truth, and the other side is “Truth”. Lying in the name of the “Truth” is somehow acceptable.

Robert Graham on “Truth”.

While I don’t thinkΒ Graham is wrong on his larger point (that of truth versus “Truth”), it does bear pointing out that literally the Number 1 problem in INFOSEC risk assessment is that the vast majority of it is qualitative, not quantitative. That is, it’s based on gut feelings and instincts and who can make the most persuasive argument, not actually any unchanging empirical fact, and that this something large portions of the more operationally minded members of the community find almost impossible to deal with…