Cyber Security and the Expectation Gap

Blog post,

This story dropped a few days ago, and it’s (sadly) unremarkable as far as security news goes: Cabrini Hospital in Melbourne was hacked, a large number of medical files were ransomwared, the hospital made a payment to the attackers, but not all of the files were recovered.

This is becoming a common occurrence. There was of course the high-profile WannaCry attack and it’s impact on the UK National Health Service, but stories like this are popping up on a regular basis.

To me, the interesting part about the Cabrini Hospital attack was the reporting. In particular, this paragraph:

The latest hack is expected to fuel calls for the federal government to reinforce the nation’s cyber defences, particularly email security.

This is what we call an expectation gap.

Financial Audit and the Expectation Gap

In financial auditing, the term expectation gap is used to describe the difference between what the public thinks an auditor does, and what they actually do.

In short, the public thinks the government agencies like ASD can, and should, protect them from these sorts of attacks - after all, we have Defence to protect us against kinetic attacks - why can’t they do the same for the cyber realm?

Of course, this is a ridiculous expectation. Defending a corporate network from hackers—even state-sponsored ones—isn’t remotely equivalent to kinetic warfare. The only way ASD could stop this attack is to directly manage Cabrini Hospital’s email service and network