Every day for the past seven years I’ve spent my workdays explaining the risks of medical research to the non-technical public. As a consent form editor, half of my typical day is spent providing the public with a factual report of what actually happened when regular people just like them took an experimental drug. The other half of my day is spent overcoming the public’s misconceptions about medical research.

Anyone considering the possibility of taking an unproven, investigational drug has the right to know what they’re getting themselves into. And the public’s profound misunderstandings about the difference between healthcare and medical research cause all sorts of problems. My workday revolves around the role of language in medical research — how to inform, how to assess risk, how to persuade and empower, and how to lessen the power differential between healthcare practitioners and research participants.

Every year tens of thousands of people read and sign the projects I work on. As they consider their unique circumstances, the factual language we’ve crafted persuades them that the potential benefits outweigh the possible risks. They sign their consent form, then take a pill or an injection. At this point, something is definitely going to happen. The risks aren’t hypothetical. That drug is going to do something to their body, and their body will definitely do something to that drug. The study staff watches with the hopeful expectation that more good than bad will happen, otherwise the research wouldn’t be conducted.

Are they persuaded? We don’t have to wonder. They’ve signed and dated their consent form, and they’ve taken that investigational, experimental drug. They’re all in.

If a pothole opens up on your street, you’d probably want to know about it. Knowing it’s there is empowering, because now you can swerve and avoid it.

The world is constantly changing, and new technologies offer convenience and efficiency to typical users. QR Codes are an excellent example. Instead of typing in a long website address, you can simply point your phone at a printed QR Code and — like magic — you arrive at the intended website. QR Codes are awesome. But like any good thing, they can be used for their intended purposes, or they can be abused by criminals.

International criminal organizations are now conducting massive QR Code frauds against the public. We see this pop up sporadically in cities in the U.S. like Los Angeles, Denver and Houston. But the UK has seen an explosion of these crimes. Victims in the UK contacted law enforcement, which then took a closer look. They found malicious QR Codes widely distributed over their entire country:

Police forces across Europe and the UK searched locations around the world and arrested 18 people in a massive operation against these scam networks.

Looking at this map, and considering the arrests, this seems to be evidence of widespread crime originating from QR-code scanning. How does it look to you?

How do we explain this change to the public? It’s as if a new cyber pothole opened up on our street. Isn’t it better to know about it and avoid it?

If you tell your neighbor “there are no potholes on our street”, but your neighbor falls into one and blows a tire, what does that do to their perception of your credibility?

If you tell people “the sky is green,” but they look up and see the sky is blue, how likely are they to consider you a reliable source of information? Especially considering everyone has the Internet in their pocket.

The successes of cybersecurity rarely make the front page. But its failures certainly do.

In the fall of 2024, the Wall Street Journal published a huge, featured story on its front page about the failure of private messaging. With big, bold graphics, a James Bond theme, and a David vs. Goliath dynamic, WSJ broadcast a story sure to scare the sh*t out of any business owner. The story screamed from the front page “Cybersecurity failed!” But did it? I read through this story multiple times, and it was clear that it wasn’t a failure of technology, but sounded more like a people problem.

I was sure someone, anyone from the cybersecurity industry would respond to this story. But, as far as I know, there was no response from the industry. So I tried to give the public useful context, a reasonable explanation, and actionable advice. The lack of an industry response is odd, considering you had something of substance to say: this problem screaming from the front page was all about human nature, not the failure of technology.

Within weeks of the WSJ article, Financial Times published a front page opinion piece with some juicy headlines:

Cyber security companies are thriving — even when they fail
This may be the ultimate industry for providing very lucrative but ineffective solutions

The gist of this article is that cybersecurity doesn’t work, we may never solve the problem, but investors and cyber vendors are taking in a haul. There’s a hint that perhaps the incentives aren’t really aligned for success. Companies and governments are spending an escalating fortune on IT security but cyber crime is only growing worse. The author suggests solving cybercrime will be even more difficult than tackling physical crime.

He wraps up by saying “cyber security companies are never likely to solve the problem they were created to tackle. But few users can survive without them. And their investors are likely to enjoy a lavish return all the same.” Other than the positive ROI on investment, this front page article in one of the World’s most influential business publications had nothing nice to say about cybersecurity.

If you noticed an industry response to this, please let me know. I haven’t yet. These extremely negative articles in the mainstream press poison peoples’ minds against cybersecurity. This stuff teaches people Learned Helplessness.

I’m not qualified to respond to the negative positions this author takes. But surely someone in the industry could have responded with something of substance.

If you talk with someone about cybersecurity, and they don’t respond the way you’d prefer, the reason may be that someone else got to them first.

Some things in life are unavoidable, like negative press coverage. We just grit our teeth and white-knuckle through it, responding as seems best.

But making statements about cyber risk to the public which aren’t supported by evidence is a purely optional pothole. Don’t bust a tire. Swerve.

Weekly resources to help keep you safer online — protecting you from hackers, online scammers, and other Digital Kleptomaniacs™.

No spam. No selling your email. Just factual, actionable information once a week, from people who truly care about online security.  You can unsubscribe any time — but we hope you’ll want to stay with us on this journey.

Cybersecurity is a modern form of wealth, and you deserve to keep what you've earned.

Looking forward to connecting again next week.

— Anthony Collette