NO a thousand times NO
They are alluring, appealing and sound correct — hey it’s a computer ‘virus’ right? Machines are ‘infected’. Malware propagation can be described and modeled mathematically. Indeed such public health concepts might work and be useful when we have well-accepted, scientifically valid (testable, falsifiable) theories in cyber security. Unfortunately there are no equivalents of toxicology, systems biology, germ theory and epidemiology in the information system domain.
Until such fields do exist, the cyber security field is better of focusing on the broader social, economic and behavioral aspects of machine/human interaction.
Reblogged this on View from Arch Street and commented:
ICYMI: security policies based on flawed public health metaphors equal no policy at all