There is a long history of people comparing IT security to biology, most obviously perhaps with the term virus. Sometimes this analogy is useful, sometimes less so.
I wanted to look into what public health officials call ‘herd immunity’ and whether it applies to our cybersecurity needs.
The term herd immunity, sometimes also known as ‘community immunity’, refers to herds of animals or groups of people. (I know, most of us don’t refer to refer to ‘herds’ of humans.)
This short animation does a good job of explaining the concept.
What’s attractive about herd immunity in the medical world is that it is particularly good at protecting those who can’t be vaccinated, like the very young, pregnant women or those who are too weak from other illnesses.
Herd immunity needs a critical mass of hosts – people, cattle or for our purposes networks/endpoints – to be effective. Most experts put the proportion at somewhere around 80 per cent.
Recently herd immunity, as a concept, has gone mainstream as more people in certain countries have adopted an anti-vaccination stance, often for their children, for various reasons. Whereas previously some groups – for example, the very young – have been protected by herd immunity because they were in a sub-20 per cent minority, as fewer of their peers have gone unvaccinated, so their risk of being infected has risen.
In a world where some people don’t take necessary IT security steps – whether through ignorance, irresponsibility, lack of money or other reasons – herd immunity is an attractive approach.
So what we’re saying is that if that percentage of users has even a minimum level of security then the number of threats would go down for an entire industry or possibly globally.
My own take is that if as an industry we could focus more on the dedicated, targeted attacks then we could make a huge difference, But, necessarily right now, we have to also cover a lot of low-level attacks that a lot of people as consumers or businesses could be taking care of with some simple steps. That’s where the herd immunity analogy really works.
There are huge botnets run by crime syndicates that depend on easily using thousands and thousands of unprotected computers. That isn’t so hard to slow down. Some of our products even rely on making herd immunity easier – catching a problem in one part of the world and immunising against it globally, very quickly.
Does the herd immunity analogy break down in terms of cybersecurity? As SC magazine put it a couple of years back:
In short, the body uses a layered defence strategy (including both blacklisting and whitelisting detection techniques) to protect against a fairly limited number of possible attacks. As the variety of attacks against computers is infinite and malware often employs anti-analysis techniques, it is far more difficult to protect a computer than a human.
In reality, herd immunity will rely on more than AV and even then the 80 per cent level probably isn’t high enough. But securing everyone by securing most? It’s a goal. Let’s the raise the bar for the bad buys by all playing our part.