Simplifying Security - Razors in Cybersecurity II

In the previous article I introduced the concept of Philosophical Razors and how can they be applied to Cybersecurity. These are principles or rule of thumb that allows us to quickly analyze and eliminate unlikely explanations, or avoid unnecessary actions. We introduced two Razors “Occam's Razor” and “Hanlon's principle”.  Let's continue with a few more Razors that I believe that will be helpful to aid your decision making:

Newton's Flaming Laser Sword (Alder's Razor) 

Is a philosophical principle introduced by cognitive scientist Mike Alder. It states: “What cannot be settled by experiment is not worth debating.”

Thanks for reading! Subscribe for free to receive new posts and support my work.

This razor emphasizes the importance of focusing on practical, testable questions rather than wasting time on abstract or theoretical arguments that lack empirical evidence. You might be wondering why Alder's chose this name? He chose the term “Flaming Laser Sword” to make it sound more dramatic and memorable than other philosophical “razors” like Occam’s Razor. The “sword” represents its power to cut through pointless or unresolvable discussions. 

Here are some scenarios where we can apply it in Cybersecurity:

• Evidence-Based Security: Focus on strategies and tools with proven effectiveness, usually this will take you back to the basics. Avoid getting bogged down in theoretical debates without practical data.
• Vendor Claims of “100% Security” Some vendors may claim that their product offers “100% protection” from all threats. Instead of debating the impossibility of perfect security, apply Alder’s Razor: demand real-world testing. Conduct penetration testing, threat simulations, or review independent security audits to assess the actual performance of the solution under attack scenarios, rather than engaging in theoretical arguments about absolute security.  If you can obtain third party assessments and other customers testimonials that can help you support and speed up this process much better. 
• Risk prioritization:  Imagine a security team is debating whether to focus on a hypothetical risk from quantum computing breaking encryption algorithms versus addressing known vulnerabilities in their existing systems like weak passwords and the lack of MFA. According to Alder’s Razor (“What cannot be settled by experiment is not worth debating”), the focus should be on the proven risks that can be empirically tested and mitigated, such as patching vulnerabilities or implementing stronger password policies. Theoretical discussions about future risks like quantum computing encryption-breaking should be set aside until there is concrete, testable evidence that those risks are imminent. 

Why is this important?

Resources and Time: In cybersecurity, resources and time are finite and scarce. Focusing on risks that can be directly mitigated today, rather than on theoretical risks that cannot be tested or quantified, leads to more effective risk management.

Evidence-Based Action: By applying Alder’s Razor, the team avoids getting caught up in speculative debates and instead addresses real, measurable risks that are more likely to impact the organization now.

Sagan Standard  - “Extraordinary Claims Require Extraordinary Evidence”

The Sagan Standard, coined by astronomer Carl Sagan, is a principle that emphasizes the need for strong, compelling evidence when extraordinary claims are made. Essentially, the more unlikely or exceptional a claim is, the higher the burden of proof should be. This standard is a tool for critical thinking, helping to avoid accepting extraordinary assertions without the necessary validation.

One of the most famous and common application of the Sagan Standard is in UFO sightings or claims of alien life. While there are many claims about UFO encounters, extraordinary evidence (such as physical proof or high-quality documentation) is required to seriously entertain the idea that aliens have visited Earth. Simply seeing a light in the sky is not enough; such an extraordinary claim demands extraordinary, undeniable evidence. (the Alien presented in the Mexican Congress don’t think it counts)

Threat Intelligence: Threat claims of new, sophisticated attacks with skepticism until strong evidence is provided. Before going after the latest shiny actor, make sure that there is enough information from reputable sources about this threat/actor. 

Attributing an Attack to an actor

Attributing a cyberattack to a sophisticated actor, like a government-backed group, is an extraordinary claim. The Sagan Standard would require extraordinary evidence such as detailed forensic analysis, indicators of compromise (IoCs), and corroboration from multiple intelligence sources before such an attribution can be made.

Zero-Day Exploit Detection

A vendor claiming that their product can detect and block all zero-day exploits would need to provide extraordinary evidence, like independent testing data or successful real-world use cases against previously unknown threats. The more exceptional the claim, the more data is needed to validate it.

Vendor Claims of Unhackable Systems

When a vendor claims their system is “unhackable” or “100% secure,” the Sagan Standard suggests that this extraordinary claim requires extraordinary evidence. Instead of accepting the claim at face value, you should demand rigorous third-party testing, audits, and penetration testing reports that support this claim.

Why is this important?

• Impact of Attribution: Incorrectly attributing an attack to a nation-state can lead to misaligned resources and effrots, or even get you into legal and financial troubles. (depending on your organization)

• Skepticism: The Sagan Standard prevents security teams from jumping to conclusions based on extraordinary claims without adequate proof. It encourages evidence-based approach before accepting such attributions.

Hitchens’ Razor - “What Can Be Asserted Without Evidence Can Be Dismissed Without Evidence”

Hitchens’ Razor, attributed to author and journalist Christopher Hitchens, is a principle of skepticism that emphasizes the importance of evidence when making assertions. It states that if someone makes a claim without providing evidence, there is no obligation to accept or even entertain the claim until evidence is presented.

Vendor Claims: Require solid evidence before investing in new security technologies or services.  If a security vendor claims that their product is the “best on the market” but offers no data, case studies, or independent reviews to back it up, Hitchens’ Razor allows you to dismiss this claim until real evidence (such as performance benchmarks or client testimonials) is provided. You are under no obligation to consider or trust the claim without solid evidence.

Unverified Incident Attribution

An IT staff member might claim that a recent security breach was caused by a particular hacker group without providing forensic evidence, logs, or any indicators of compromise. According to Hitchens’ Razor, this claim can be dismissed until actual proof is presented. Without evidence, the claim holds no weight.

False Positive Security Alerts

Security tools often generate false positives. If an analyst claims that a particular alert represents a real threat without offering detailed analysis or correlating evidence, Hitchens’ Razor suggests that this assertion can be ignored until they provide concrete proof that the alert represents an actual security incident.

Why This is Important:

• Avoiding Unnecessary Investments: By applying Hitchens’ Razor, cybersecurity teams avoid investing in tools or technologies based on exaggerated claims that lack evidence, preventing wasted resources and potential security gaps.

• Promoting Evidence-Based Decision Making: It encourages a culture of evidence-based decision-making in cybersecurity, where solutions are evaluated on their merits, not on unverified promises.

Each of these principles contributes to cutting through unnecessary assumptions, exaggerated claims, or overcomplicated theories, helping us focus on the most likely and evidence-based explanations. I noticed through the years, that seasoned experienced Cybersecurity professionals tend to apply many of these razors in their thinking and when making decisions, while more juniors and unexperienced professionals tend to get bogged down in the complexity and the hype of claims from vendors and media. Hopefully, this article inspires you to adopt these principles early, empowering your teams to make smarter, faster decisions—while cutting through complexity and making security simpler.”

*Images created with Microsoft Designer

Thanks for reading! Subscribe for free to receive new posts and support my work.