VIEW 6
The accept strategy— the hygiene hypothesis
A surprising phenomenon that still puzzles the healthcare community is the rise in allergies in the general population. You have probably noticed an increased number of warning labels on food products, stating they may contain peanuts, gluten, eggs, soy, or shellfish. There has also been a rise in autoimmune disorders: diseases where the immune system attacks the body’s own tissues. Examples are lupus, multiple sclerosis, and inflammatory bowel disease. Hay fever also seems to be an increasingly common complaint.
One suggested answer to this allergy puzzle is the hygiene hypothesis. This highlights the fact that infants are less exposed to bacteria these days than in earlier times. Household cleaning products, antibacterial wet wipes, and higher standards of cleanliness have combined to create an environment far freer of microbes than that of our grandparents.
Reduced exposure to bacteria when young means immune systems are not properly developed and so become hyperactive later, leading to allergic responses and autoimmune diseases.
Island species that evolve in isolation can go extinct, like the dodo, when the outside world finally breaks in. An accept strategy involves deliberate exposure to those external dangers. Reading across to cyber security, the whole notion of a firewall is not one of isolation but of managed engagement with the rest of the internet.
Revisionist historians5 in the UK have suggested that Hadrian’s Wall could be renamed Hadrian’s Gates, since it was as much an administrative structure as a defensive one.
It was designed not just to keep people out, but also to control the flow of people and goods and to administer taxes on trade. Similarly, a firewall dictates the terms of necessary interaction with the outside world and is the main tool of an accept strategy.
One of the most important questions to ask when evaluating cyber security is about the number of false positives, rather than just focusing on the number of incidents. A false positive is a sign that cyber defenses are actually in place although, of course, too many can be a major irritation and lead to dangerous complacency.
A company that has no documented false positives is a company that has no documentation procedures, or no defenses, or is lucky to an astronomically implausible degree. False positives and minor incidents are essential features behind an accept strategy.
In medicine, the best example of an accept strategy is vaccination; deliberately infecting the patient with a mild form of the virus to build immunity. In cyber security, this is the thinking behind a “honeypot”: a tempting but fake target designed to attract attacks from criminals in order to learn their techniques and so build resilience.
Note: There are only four possible risk mitigation strategies—avoid, accept, reduce, and transfer. Here we examine the accept strategy; the others are covered elsewhere.
