Hacking Case Study - use real businesses or make them fictitious?
February 18, 2020 4:08 AM   Subscribe

I'm doing a presentation on hacking to a local chamber of commerce group. Could there be repercussions from using the names of real businesses in a fictitious case study?

I'm doing a presentation on how easily a business can get hacked. To make it interesting I'm thinking of using using one or two businesses (one local business and one multinational) in my city as two "subjects" pointing out how a hacker could compromise them by exploiting information they've posted online. By using real businesses, I think it's going to make the presentation much more interesting and engaging. But could this strategy backfire?


PS: There will be no actual hacking. Just examples of the steps hackers take when trying to compromise a business.
posted by jacobean to Work & Money (13 answers total)
 
Best answer: This seems like it could go wrong in very many ways. It could start rumors and speculation. It could blindside people in the room who wonder if you're dropping hints or you have evidence. People who are only half listening (and there will be those people) could misunderstand what you are doing and confuse fact with fiction. It could be insulting to those businesses, as you're revealing weaknesses they might have. If potentially defamatory, it could open you up to legal threats. I would recommend you avoid it.

I understand that the case study approach is more engaging than talking in the abstract. So instead I recommend you construct composite businesses, with fake names and descriptions. They could be just a few steps off from the real businesses and industries actually represented, in order to be useful to the audience, but otherwise not be based on facts about actual chamber members. Also, drawing in specifics of similar businesses in other cities that have been documented in the news would be fine. They will get the parallel.
posted by Miko at 4:38 AM on February 18, 2020 [16 favorites]


Hi! I work in cyber security in education and awareness, absoutlely don't do this.

Either make it all made up, Or reference real, published case studies that have actually happened (I favour the latter).

I know the odds are small, but companies sue when they find out their brand is being used in an unauthorised way.
posted by smoke at 4:40 AM on February 18, 2020 [12 favorites]


If you're doing this as a representative of some company or organization, run it by them first. I can imagine them having serious legal concerns and you don't want your boss/board/whatever to feel blindsided if they get complaints about your presentation after the fact. If they give you the go-ahead, then sure.

In your shoes I'd use fictitious companies and point out examples of how X thing in your scenario is an actual thing that happened in Y real-life case.
posted by Stacey at 5:14 AM on February 18, 2020 [1 favorite]


There are enough cases of real hacking that are known and public. Why not use those?
posted by spindrifter at 5:28 AM on February 18, 2020


And don't use barely fictitious names like "WalsMart." Say big financial or local credit union, etc.
posted by dances_with_sneetches at 5:29 AM on February 18, 2020


Response by poster: Thanks for those amazing responses.

Reflecting on those comments, it indeed could have legal repercussions and make my business just look indiscreet.

>>There are enough cases of real hacking that are known and public. Why not use those?

Actually it's quite difficult to find media reports of local SMB businesses which have been hacked. There seems a strong bias towards well-known brands.

>>>And don't use barely fictitious names like "WalsMart.

Do you think something like Big Global Supermarket Inc would be okay?
posted by jacobean at 5:35 AM on February 18, 2020


I think it would be a distraction. I'd use generic names like Retail Pet Shop, Local Hair Salon.
posted by theora55 at 5:50 AM on February 18, 2020 [1 favorite]


I would not do this. My go-to for fake companies is Acme Incorporated, like in Loony Toons.

Microsoft uses the fake Contoso, Inc. for a lot of things. You could also use companies from TV shows - Dunder-Mifflin, etc.
posted by jquinby at 5:59 AM on February 18, 2020 [6 favorites]


Best answer: theora55 is right, make up fake names. Using real companies will be a distraction, because people associate them with specific -- and different to each person -- experiences & policies.

Using fake companies allows you to tailor the story however you like, without regard for reality, where sometimes people accidentally do this correctly. :7) This lets you make the victims maximally stupid, without hurting any feelings.

The book The Phoenix Project is about software engineering, and how to turn around a bad culture. Though there are countless real examples (Lord knows), making one up out of whole cloth is easier for the author and for readers (since no one's identity is tied to the subject of the novel).
posted by wenestvedt at 6:11 AM on February 18, 2020 [1 favorite]


My professor uses things like furniture maker IDEA, etc. It's clear what he means, but it's just a fictitious example. Someone above said not to but I'm not clear on why not? Then again, you don't have to.

I'd just give them names that make it clear what they do like BankWell for a banking company.
posted by OnTheLastCastle at 6:36 AM on February 18, 2020 [1 favorite]


You could also use companies from TV shows - Dunder-Mifflin

That sounds like it would add a shot of fun. VanDeLay Industries. Scoops Ahoy. Here's a whole list.
posted by Miko at 7:09 AM on February 18, 2020 [2 favorites]


Here's an example.
posted by flimflam at 8:48 AM on February 18, 2020


Response by poster: Thank you everyone. Really helpful comments.

Real names have now been replaced by fake ones. I feel much more comfortable doing a presentation free of potential audience insult and speculation!
posted by jacobean at 4:12 PM on February 18, 2020


« Older Recipes with walnut liqueur?   |   Tear down everything! Newer »
This thread is closed to new comments.


Tags

Share