Part 1: Everything We Knew About Cybersecurity Is Wrong

Chapter 1: Cybersecurity: The Illusion of Knowledge
Everyone knows what 'cybersecurity' means.
It is possible to measure how secure a system is.
__Trust and Risk
__threat
__Security Policy
__at last…
The top priority to pursue is security.
Cybersecurity is about obvious risks
The more cyber threat information is shared, the better the situation becomes.
What matters to us matters to everyone
Product ○○ will definitely make us safe.
Macs are safer than PCs, and Linux is safer than Windows.
Open source software is more secure than closed software.
Technology ○○ will ensure security
Process ○○ will ensure security
There's a magic pixie dust that can make old ideas new.
Passwords should be changed frequently.
Believe and fear all hacking demos
Cyber ​​attacks are easier than defense.
Operational Technology (OT) is not vulnerable
Breaking through the system is the best way to prove myself.
If you can, you should
As security increases, privacy becomes weaker.
Further Reading

Chapter 2: Revisiting the Internet from a Security Perspective
Everyone knows what the 'Internet' is.
An IP address uniquely identifies a device.
The Internet is managed and controlled by a central authority.
The Internet is largely static
The network is static
__You know what your core assets are and where they are.
Email is private
Cryptocurrencies are untraceable.
Everything can be solved with blockchain.
The Internet is like an iceberg
__The dark web is solely for criminal activity.
__Dark web activity is untraceable
A VPN makes you anonymous.
One firewall is enough
Further Reading

Part 2 | Cybersecurity and Breach Incidents: Understanding Human Psychology

Chapter 3: False Beliefs and Excessive Expectations That Lead to Threats
Humans will act rationally, so it's the user's fault!
We know everything you need to know about cybersecurity.
Compliance equals (perfect) security
Authentication ensures confidentiality
Why bother trying when you can never be safe?
I am too small and insignificant to be attacked.
Everyone is after me
My data is safe because I only use trusted websites.
Security by ambiguity is somewhat secure.
The illusion of visibility and control
The key to cybersecurity is the five 9s.
Everyone has cutting-edge technology
Can predict future threats
Security officers can control security outcomes.
All bad outcomes are the result of bad decisions.
The stronger the security, the better.
Best practices are always best
Since it's online, it must be true or accurate.
Further Reading

Chapter 4: 20 Mistakes That Lead to Wrong Security Judgments
Fallacy of False Causation: Correlation is Causation
Absence of evidence is evidence of absence.
The Dummy Hacker Fallacy
The fallacy of ad hominem
The fallacy of hasty generalization
Regression error
Base rate error
Gambler's Fallacy
Errors in abnormal signs
Ignorance of Black Swans
Combination and separation errors
Optimistic bias effect
Endowment effect
sunk cost fallacy
Other errors
__Appeal to the outside world error
__Questionable evidence citation error
__Leading question error
__False Choice Error
__To Quoque Error
__Question redefinition error
Further Reading

Chapter 5: 24 Cognitive Biases That Exploit Security Gaps
behavioral bias
random bias
survivorship bias
confirmation bias
confirmation bias
post hoc bias
availability bias
social proof bias
overconfidence bias
Zero-risk bias
Frequency bias
Other biases
__Result bias
__discount bias
__proximity bias
__Face value bias
__Wife bias
__Halo bias
__One-upmanship bias: competitive superiority consciousness
__Anchoring bias
__Ignition effect
__Knowledge bias
__Status quo bias
__ism bias
__Egocentric bias
Further Reading

Chapter 6: Distorted reward and punishment systems and incentives that threaten security
The goal of a security company is to keep its customers safe.
The cybersecurity decisions I make only affect me.
Bug bounty programs eliminate exploitable vulnerabilities.
Cybersecurity insurance reduces the risks people take.
Fines and penalties make people less likely to take risks.
Retaliatory attacks will help prevent cybercrime.
Innovation increases security and privacy breaches.
Further Reading

Chapter 7: Problems and Solutions: The Dichotomy Trap
In cybersecurity, failure is not an option.
Every problem has a solution
__Big data can solve all problems.
__There is only one right solution in the world.
__Given cybersecurity problems, everyone must solve them in the same way.
Personal experience can be a good starting point for cybersecurity solutions.
The new system is better because it detects more 'bad things'.
All security processes must be automated.
Professional certifications are useless
A computer-related degree is essential for a career in cybersecurity.
__Cybersecurity certifications are valuable.
__There is a shortage of cybersecurity personnel.
__There is a gap between academia and practice.
Further Reading

Part 3 | Security-Related Technical Issues Considering Reality and Context

Chapter 8: Metaphors and Abstractions About Cyberspace
Cyberspace is like the real world
Cybersecurity is like defending a castle.
__Digital theft is just like physical theft
__Users are the 'weakest link'
Cybersecurity is like medicine or biology.
Cybersecurity is like war
Cyber ​​Pearl Harbor
__Cyber ​​weapons
__Cyber ​​terrorism
The laws of cybersecurity are like the laws of the physical world.
Tips for Metaphors and Abstractions
Further Reading

Chapter 9: Law, Systems, and Policies in Cyberspace
Cybersecurity law is similar to real-world law.
The law there doesn't apply where I am.
That violates my First Amendment rights!
__Ignorance of the law
__Different jurisdictions
Computer code takes precedence over legal code.
__The law can be simply converted into computer code.
__Legislators, regulators, and courts know enough about the technology to regulate it.
__The law and the courts unfairly restrict developers.
The judiciary never responds to cybercrime.
Information can be hidden at any time through litigation.
Litigation is the best response to covering up a data breach.
Terms of Use Don't Matter
The law is on my side, so I have nothing to worry about.
Further Reading

Chapter 10: Are You Using Security Tools Properly?
The more tools the better
__Every new threat requires new tools
The default configuration is always safe
One tool can stop all the bad things
You can tell the intention by looking at the tool.
Security tools are inherently safe and reliable.
If nothing is detected, then everything is fine.
__The fact that the scanner didn't detect anything means we're safe.
__No alarm means safe
__No vulnerability reports means no vulnerabilities
Further Reading

Chapter 11 Software Vulnerabilities and Social Engineering Attacks
We know everything there is to know about vulnerabilities
Vulnerabilities are rare
Attackers are becoming more and more skilled.
Zero-day vulnerabilities are the most important
__Zero Day is the scariest
__Zero Day means persistence
All attacks rely on vulnerabilities.
Exploit attack tools and proofs of concept are bad.
Vulnerabilities only occur in complex code.
The first mover must sacrifice security.
Patches are always perfect and applicable
Defensive measures can become security vulnerabilities over time.
All vulnerabilities can be fixed
Vulnerability assessment systems are easy and well known.
If you can, you should [Vulnerability]
The name of the vulnerability reflects its importance.
Further Reading

Chapter 12: The Evolving Threat of Malware and Ransomware
Sandbox gives you everything you need
Reverse engineering can tell you everything you need to know
Malware is not geographically specific.
I can always find out who created the malware and attacked me.
Malware is always complex and difficult to understand.
Free malware protection is enough
Malware will only infect you from suspicious websites.
If you can, you should [Malware Edition]
Ransomware is a completely new type of malware.
Signed software is always trustworthy
The name of the malware reflects its importance.
Further Reading

Chapter 13: Unfailing Digital Forensics and Incident Response
Movies and TV reflect the reality of the cyber world.
Cyber ​​incidents are discovered immediately after they occur.
Cyber ​​breaches are individual and isolated incidents.
All cyber incidents are equally serious.
Standard incident response techniques alone are sufficient to respond to ransomware.
The incident response team just flips a few switches and everything magically resolves itself.
The identity of the attacker can always be determined.
The identity of the attacker must be determined.
Most attacks and data breaches originate outside the organization.
The Trojan Horse defense logic is over.
Endpoint data alone is sufficient for incident detection.
Accident recovery is a simple, linear process.
Further Reading

Part 4 l Is Security Without Data Really Safe?

Chapter 14: Lies, Damn Lies, and Statistics
If you're lucky, you might be able to avoid a cyber attack.
Numbers alone explain everything
Probability is certainty
Statistics is law
__Context is needed
__Inference Prediction Using Statistics
__Correlation implies causation
__Classification errors are not important
Data is not important in statistics
AI and machine learning alone can solve all cybersecurity problems.
Further Reading

Chapter 15: Images, Data Visualization, and Illusions
Visualizations and dashboards are inherently universally useful.
Cybersecurity data is easy to visualize.
__Visualizing Internet geographic location information is useful.
__The visualization of IP and port is clear and easy to understand.
Further Reading

Chapter 16: Still, There Is Hope
For a world less swayed by superstitions
Documentation is important
Common Patterns and Recommendations in Popular Sayings
__Common patterns in proverbs
__General Recommendations
Let's avoid another future trap.
In closing

Appendix A Summary of Key Terms and Concepts
Appendix B: Glossary of Security Terms and Acronyms

Cybersecurity is invisible and full of unexpected risks and challenges.

No matter how well-intentioned we may be, popular beliefs, false assumptions about the world, and inherent human biases lead us to make all sorts of avoidable mistakes and errors.
As a result, implementation, investigation, and research of security are often put in an awkward position.
Especially for those new to cybersecurity, many flawed practices can seem plausible, leading to repeated breaches and security failures despite misconceptions and misperceptions.

In this book, three prominent security industry pioneers delve into the misconceptions and myths that plague cybersecurity—from the security field to the C-suite—and offer expert, practical advice on how to secure cyberspace with sound security knowledge.

Whether you're new to cybersecurity or already a seasoned professional, this book will provide you with the insight and support to uncover hidden risks, avoid avoidable mistakes, and dispel faulty assumptions.
It will also help combat deep-rooted cognitive biases inherent in humans that hinder cybersecurity prevention, investigation, and research activities.
Additionally, this book presents vivid case studies from real-life cybersecurity incidents, specific techniques to help you recognize and overcome security vulnerabilities, and practical countermeasures for building more secure products and businesses.

| What this book covers |

ㆍ Over 175 cybersecurity myths and misconceptions that users, corporate executives, and security professionals can easily fall into, along with practical tips for avoiding them.
The pros and cons of metaphors and abstractions, misunderstandings about security tools, and the pitfalls of incorrect assumptions.
ㆍ Ways to improve the effectiveness of cybersecurity decision-making from the perspectives of users, developers, researchers, and executives.
Why statistics and figures, while insightful, can also be misleading
ㆍ The ability to identify security-related misconceptions and misperceptions, strategies to avoid future pitfalls, and techniques to mitigate security threats.

| Target audience for this book |

Not only existing information security experts, but also non-experts interested in security, such as developers, designers, analysts, decision makers, executives, and students.

-- Beginners will be able to understand old concepts in context and avoid mistakes in advance.

-- For experienced practitioners, it will offer fresh perspectives on applicable techniques and approaches, and advise against falling into the trap of inadvertently weakening cybersecurity.

-- Since cybersecurity is an issue that concerns everyone who relies on technology, this book is useful even for those not working in the cybersecurity field.
-- Decision makers and executives, who assume or manage corporate risks, need a thorough understanding of cybersecurity.


| Structure of this book |

The book is divided into four parts: general security knowledge, human psychology, technology issues, and data issues, and covers over 175 myths, biases, and misconceptions.
Each chapter is organized by topic, grouping together proverbs with similar themes and organically connecting them.
You can read each chapter separately or read them all together.
Section titles within each chapter represent specific proverbs or topics.


Each section explains a myth or misconception, provides some real-life examples, and discusses how to avoid it.
We cover technical topics like vulnerabilities, malware, and forensics, as well as how our thinking and decision-making, including logical errors and communication, impact cybersecurity.

Appendix A contains brief descriptions of key concepts and terms used in the text.
So, if you're unfamiliar with terms like firewall or log4j vulnerability, please refer to the appendix for a brief explanation first.
The fields of cybersecurity and computing in general are awash in acronyms.
Appendix B lists abbreviations, so if you come across an unfamiliar abbreviation, please look it up to find out what it stands for.

[Opening remarks]

When Eugene Spaford asked me to write the foreword for this book, I asked to see at least part of it first.
First, I looked through the table of contents and was captivated by the authors' clever writing style, which introduces misconceptions and myths about security that can lead us astray.
And I also thought about changing the title of the book to Cybersecurity Mythconceptions.
The "Introduction" section of this book is written with remarkable clarity and honesty, and its self-deprecating yet approachable style helps readers to embrace the possibility that they may have been misled by myths and misunderstandings.

In short, this is a very important book.
In many cases, cybersecurity is about decisions and choices about what software we use, what practices we follow, and what security beliefs we hold dear.
The authors enhance the book's usefulness by clearly explaining some of the misconceptions people have about cybersecurity.
As the authors debunk each cybersecurity myth, readers feel a sense of superiority, thinking, "How ridiculous that people believe such foolish ideas!"
It's as if I could never be fooled by such beliefs, and that's why each case is more memorable.


The style of this book is CS
It reminds me of Lewis's famous work, The Screwtape Letters (Hongseongsa, 2020).
In this novel, Screwtape, a veteran demonic tempter, teaches his young disciple, Wormwood, how to lead humans away from goodness and rationalize their actions.
Network security is a very important issue.
Cyberspace, a broader concept that includes the Internet and all programmable objects, is vulnerable not only to intentional and malicious acts but also to mistakes made by various actors, such as programmers and network operators.

I have long believed that responsibility and ownership are key to securing the online cyber environment.
We must be able to identify malicious actors and hold them accountable.
This requires international cooperation and the capacity to remove the veil of anonymity.
Like the Internet, cyberspace crosses national boundaries in its everyday operations.
Subjectivity is essential.
Participants in cyberspace must be equipped with tools to protect themselves, including legal structures and agreements that enable them to pursue those who engage in harmful or criminal activity.


One of the most powerful defensive tools is critical thinking.
The content of this book is all about learning how to think more critically about the dangers of cyberspace.
This kind of thinking requires a lot of effort and is not something that can be achieved for free.
Malicious attackers prey on our weaknesses as humans.
Unfortunately, this weakness includes our human nature to want to help those in need.
These positive social emotions, including goodwill, are exploited for numerous fraudulent activities.
This book teaches us how to spot these tricks.
It also arms us with more secure practices like two-step authentication, multi-factor authentication, encryption, backups, and redundancy.
In the complex cyberspace of the 21st century, problems can arise in a variety of ways.
Addressing these risks requires collaborative action at the individual, corporate, and government levels.
As always, knowing in advance helps you prepare.


Let's read this book, laugh to our hearts' content, and put what we learn into practice.
You won't regret it.
- Vint Cerf / Internet Pioneer

[Author's Note]

This book is about dispelling myths, but that doesn't mean they will disappear completely from the world.
This is because humans have a tendency to create myths to explain their experiences.
In particular, because we have evolved to process information quickly, we tend to try to generate our own answers when immediate explanations are not possible.


In the future, incorrect beliefs are likely to become more common and more difficult to correct.
As people have access to more and more information, they are exposed to more and more misinformation.
We've seen the proliferation of outrageous and sometimes destructive myths, such as conspiracy theories surrounding airplane clouds, antivirus software, and alien infiltration of governments.
It is becoming increasingly difficult to determine what is true and trustworthy.
For this reason, whether in cybersecurity or any other field, we all need the ability to quickly identify and correct misconceptions as they emerge.

Our three authors work in academia, industry, and government, and all have researched and written about cybersecurity and computer science.
Science can correct, verify, and dispel cybersecurity myths by using standardized methods and providing validated evidence.
Engineering can use science to create more robust and reliable products.
The authors boast nearly 100 years of combined experience, spanning cybersecurity design and research, incident response, and forensics.
Those of us who work in science and engineering have seen many people make avoidable mistakes due to myths and misconceptions in cybersecurity.
One of the purposes of this book is to educate students and practitioners.
We believe this book is the first to systematically organize this information.

[Translator's Note]

Today, cybersecurity is a matter of survival for businesses.
We live in an era where a single hacking incident can destroy customer trust and shake the very foundation of a company's existence.
Security is both an age-old issue and a persistent challenge, making this book all the more timely and relevant to confront today's realities.


This book contains powerful insights that will challenge not only security practitioners, but also executives and even general readers to rethink the "nature and misconceptions of cybersecurity."
When I first encountered the original book, "Cybersecurity Myths and Misconceptions: Avoiding the Pitfalls of Security Management," I was deeply drawn to the authors' fresh yet realistic perspective.


Rather than dryly listing the latest security technologies and tools, this book dismantles the misconceptions, traps, and strategic blind spots that organizations easily fall into.
And it reminds us that security goes beyond the simple realm of IT and is closely intertwined with corporate culture, management strategy, and people's perceptions.
I am a professor at the Naif Arab University of Security Sciences (NAUSS) in Riyadh, Saudi Arabia, where I collaborate with companies and institutions on various cybersecurity research and education projects.
What I realized during this process was that while technology is important as a factor in determining the success or failure of security, 'human judgment and organizational awareness' are more important than anything else.
While translating this book, I realized that the various problems I had encountered in the field were exquisitely intertwined with the insights of the authors.


I sincerely hope that this book will serve as an opportunity for corporate security officers, IT managers, and all readers interested in cybersecurity to correct misconceptions and misconceptions surrounding security and gain a new understanding of the nature of security failures.
I sincerely hope that the message of this book—that security is not an unnecessary expense, but a key investment in securing the future—will resonate deeply with many readers.

- Kim Kyung-gon

Cybersecurity is a constantly evolving field, yet many people still take outdated practices or unproven "security wisdom" for granted.
This book debunks these widespread misconceptions, one by one, and makes us realize just how many misconceptions we have about security.
Since I had deeply sympathized with the book's concerns even before I began translating it, I found myself nodding along several times and gaining much insight as I translated the book.

Furthermore, while translating this book, I realized once again that the security methods that users generally believed to be correct in the field of cybersecurity were actually being passed down as practices without proper verification.
I also confess that I have physically beaten my computer as a last resort when it was not working and I could not find the cause, and because of this experience, I was able to empathize with it a lot and learn a lot from it while translating the book.

It's a fun read, especially thanks to the cute animal illustrations and the author's humor that keeps the book from getting boring. I think it's a must-read for everyone, from the general public interested in security to security experts and even policymakers running businesses.
- Jang Eun-kyung

I had an interesting experience translating this book.
I have witnessed the bizarre phenomenon of the problems addressed in this book occurring in real life.

This book contains interesting stories about North Korean hacking organizations and cryptocurrency hacking. Coincidentally, in February, ByBit, a world-class cryptocurrency exchange headquartered in Dubai, United Arab Emirates, suffered a hacking incident that was believed to be the work of a North Korean organization, resulting in damages exceeding 2 trillion won.
Two trillion won? It makes me think North Korea could be running a professional hacking organization.
This book also emphasizes that the public belief that “if you use a trustworthy site or service operated by a large company, you are safe from hacking (Chapter 1)” may be an ‘illusion’, but a few months ago, there was an unfortunate incident in which personal information of customers was leaked on a large scale at the number one telecommunications company in Korea.
And regarding ransomware, which is covered quite heavily in this book, a major domestic online bookstore suffered a ransomware attack that paralyzed its services for several days.
Since I use this site often, this incident came as quite a shock to me.
Not long after, another ransomware incident occurred at a major domestic surety insurance site.
Although the Financial Security Institute successfully decrypted the encrypted data by exploiting a flaw in the malware and successfully completed the investigation, it was a strange feeling to hear passages from the book I was working on again as breaking news.


The pinnacle of such strangeness was when the events described in the book happened on my PC.
When I tried to access the cryptocurrency exchange I'd been using for the first time in a while, a warning pop-up appeared in my web browser.
Since this was a warning message that had appeared occasionally before, I might have ignored it and logged in right away.
But after witnessing these major incidents one after another while translating security books, I wondered if my heightened security awareness was holding me back. It turned out that malware had unknowingly installed on my PC, intercepting all of its internet traffic and sending it to a proxy server.
This malware was not detected or treated by any antivirus software, and what was more surprising was that despite numerous attempts to delete the suspected malware processes and files using all possible methods, the malware would come back to life like a ghost after a few minutes and reset the proxy server connection.
It was creepy.
I ended up having to format my entire computer and reinstall Windows, and I couldn't use my PC properly for a few days.

What happened on my PC was a case of a combination of all the things detailed in this book: proxy relays (Chapter 7), sophisticated malware that evades detection (Chapter 12), and sophisticated phishing techniques (Chapter 10).
Moreover, the book's warning (Chapter 3) that individuals' belief that they are "small and insignificant and will not be attacked" is an illusion was unfolding before my eyes.
After thinking about it carefully, I began to think that this series of events was not a simple coincidence.
At first, it felt like a strange coincidence, but isn't this evidence that such cyberattacks are becoming more frequent and have infiltrated our daily lives?
As this book points out, attackers leveraging AI will become increasingly intelligent and threatening.

After going through this experience, I realized once again that security is not a problem that is so far removed from our daily lives that it can only be “left to the experts.”
In a world where everything is digital and connected to the Internet, my precious data and personal information are at risk of being stolen at any time, and no one is protecting them.
I believe that we have entered an era where everyone needs to be educated about security, just as we need to be concerned about our health and money.

This book can be said to be a kind of 'humanistic approach' to security.
Because it doesn't cover technical practical matters, this book can be helpful to anyone who wants to learn about security as a modern-day cultural asset, and it will also serve as a guide for working professionals to correct their inertia-ridden perspective on security.

This book is full of the authors' long-standing insights in the security field, but as they are not professional writers, there are many sentences that are difficult to understand, making the translation a challenging task.
However, I am proud to say that the result is a book that readers will find much more engaging and easier to understand, while still retaining the authors' keen insights.


I hope this book will serve as a starting point for readers to avoid security threats that may arise in the future.
- Park Ki-seong