How to Sell Security

It's a truism in sales that it's easier to sell someone something he wants than a defense against something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. It's not they don't ever buy these things, but it's an uphill struggle.

The reason is psychological. And it's the same dynamic when it's a security vendor trying to sell its products or services, a CIO trying to convince senior management to invest in security, or a security officer trying to implement a security policy with her company's employees.

It's also true that the better you understand your buyer, the better you can sell.

First, a bit about Prospect Theory, the underlying theory behind the newly popular field of behavioral economics. Prospect Theory was developed by Daniel Kahneman and Amos Tversky in 1979 (Kahneman went on to win a Nobel Prize for this and other similar work) to explain how people make trade-offs that involve risk. Before this work, economists had a model of "economic man," a rational being who makes trade-offs based on some logical calculation. Kahneman and Tversky showed that real people are far more subtle and ornery.

Here's an experiment that illustrates Prospect Theory. Take a roomful of subjects and divide them into two groups. Ask one group to choose between these two alternatives: a sure gain of $500 and 50 percent chance of gaining $1,000. Ask the other group to choose between these two alternatives: a sure loss of $500 and a 50 percent chance of losing $1,000.

These two trade-offs are very similar, and traditional economics predicts that the whether you're contemplating a gain or a loss doesn't make a difference: People make trade-offs based on a straightforward calculation of the relative outcome. Some people prefer sure things and others prefer to take chances. Whether the outcome is a gain or a loss doesn't affect the mathematics and therefore shouldn't affect the results. This is traditional economics, and it's called Utility Theory.

But Kahneman's and Tversky's experiments contradicted Utility Theory. When faced with a gain, about 85 percent of people chose the sure smaller gain over the risky larger gain. But when faced with a loss, about 70 percent chose the risky larger loss over the sure smaller loss.

This experiment, repeated again and again by many researchers, across ages, genders, cultures and even species, rocked economics, yielded the same result. Directly contradicting the traditional idea of "economic man," Prospect Theory recognizes that people have subjective values for gains and losses. We have evolved a cognitive bias: a pair of heuristics. One, a sure gain is better than a chance at a greater gain, or "A bird in the hand is worth two in the bush." And two, a sure loss is worse than a chance at a greater loss, or "Run away and live to fight another day." Of course, these are not rigid rules. Only a fool would take a sure $100 over a 50 percent chance at $1,000,000. But all things being equal, we tend to be risk-averse when it comes to gains and risk-seeking when it comes to losses.

This cognitive bias is so powerful that it can lead to logically inconsistent results. Google the "Asian Disease Experiment" for an almost surreal example. Describing the same policy choice in different ways--either as "200 lives saved out of 600" or "400 lives lost out of 600"-- yields wildly different risk reactions.

Evolutionarily, the bias makes sense. It's a better survival strategy to accept small gains rather than risk them for larger ones, and to risk larger losses rather than accept smaller losses. Lions, for example, chase young or wounded wildebeests because the investment needed to kill them is lower. Mature and healthy prey would probably be more nutritious, but there's a risk of missing lunch entirely if it gets away. And a small meal will tide the lion over until another day. Getting through today is more important than the possibility of having food tomorrow. Similarly, it is better to risk a larger loss than to accept a smaller loss. Because animals tend to live on the razor's edge between starvation and reproduction, any loss of food -- whether small or large -- can be equally bad. Because both can result in death, and the best option is to risk everything for the chance at no loss at all.

How does Prospect Theory explain the difficulty of selling the prevention of a security breach? It's a choice between a small sure loss -- the cost of the security product -- and a large risky loss: for example, the results of an attack on one's network. Of course there's a lot more to the sale. The buyer has to be convinced that the product works, and he has to understand the threats against him and the risk that something bad will happen. But all things being equal, buyers would rather take the chance that the attack won't happen than suffer the sure loss that comes from purchasing the security product.

Security sellers know this, even if they don't understand why, and are continually trying to frame their products in positive results. That's why you see slogans with the basic message, "We take care of security so you can focus on your business," or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a negative sell.

One solution is to stoke fear. Fear is a primal emotion, far older than our ability to calculate trade-offs. And when people are truly scared, they're willing to do almost anything to make that feeling go away; lots of other psychological research supports that. Any burglar alarm salesman will tell you that people buy only after they've been robbed, or after one of their neighbors has been robbed. And the fears stoked by 9/11, and the politics surrounding 9/11, have fueled an entire industry devoted to counterterrorism. When emotion takes over like that, people are much less likely to think rationally.

Though effective, fear mongering is not very ethical. The better solution is not to sell security directly, but to include it as part of a more general product or service. Your car comes with safety and security features built in; they're not sold separately. Same with your house. And it should be the same with computers and networks. Vendors need to build security into the products and services that customers actually want. CIOs should include security as an integral part of everything they budget for. Security shouldn't be a separate policy for employees to follow but part of overall IT policy.

Security is inherently about avoiding a negative, so you can never ignore the cognitive bias embedded so deeply in the human brain. But if you understand it, you have a better chance of overcoming it.

This essay originally appeared in CIO.

Posted on May 26, 2008 at 5:57 AM • 35 Comments

Comments

mostlygeniusMay 26, 2008 8:11 AM

Interesting article. I would say that looking at the levels of included security (or safety) that these features tend to fall pretty far below the state of the art.

Three point restraints are standard in cars, but inferior to racing harnesses. Homes are built with fire retardant materials, but don't normally include sprinkler systems.

However even such premium options are less effective than good driving and fire safety i.e. more operator knowledge and skill.

I work in the 'counter terrorism industry' and while it is certainly funded by fear, that doesn't mean that restructuring to better integrate security as a core feature isn't happening.

sMay 26, 2008 10:08 AM

I disagree and don't think security sells well as insurance, no matter what kind of formulation you present. Fear mongering isn't unethical, if what you say is true.
The strong way to sell security is to build it into the product and not sell it separately AT ALL. It should be inherent in a product that otherwise offers useful advantages.
I don't want to buy cheap tires, then an insurance policy to replace them if and when they self destruct while driving. Even if the total cost is acceptable, the tires should be safe to begin with, period. I don't want separate insurance, I shouldn't need it. Who wants to buy special insurance in case a can of green beans is contaminated, in case this and in case that???
Just give me a communications or storage product that is designed and built well with inherent security that can't be beat, not the status quo today. That's all anyone knows - another access control, more encryption and key management junk, expensive appliances that scour every last living byte for violations of some ten ton policy someone had to create. Good grief.
Too bad investors don't know any better, either. That's all they'll do, too.

LarryMay 26, 2008 10:41 AM

"Vendors need to build security into the products and services that customers actually want."

Selling security by itself to CIO's is difficult for many reasons (often security complexities need to be explained, security needs it's own ROI, etc.). But selling it inside a solution that "customers actually want", while diminishing the 'banner' of security, gets the system in place.

We have a secure delivery system that contains multiple levels of security. But the healthcare CIO's that are buying our products are buying solutions that (for example) provide mobile healthcare workforce data collection, which speeds collection of the information, provides an audit trail, and, yes, is secured by PKI, digital sigs, and SSL. As you say, Bruce, the security becomes a check-box item, like brakes in a car.

MailmanMay 26, 2008 11:32 AM

@s:
"The strong way to sell security is to build it into the product and not sell it separately AT ALL. It should be inherent in a product that otherwise offers useful advantages."

The problem remains whole: a company that integrates security features in its product might have to compete with a company that offers a similar product but without the security features, which can thus be sold at a lower price.

The CIO is faced with the same decision: buy the expensive product with security features or buy the cheap product without them.

AntimediaMay 26, 2008 1:48 PM

The only way building security into a product can be better than selling security separately is if the built-in security is forced upon the end-user. IOW, they aren't given a choice to enable or disable the security feature - it's enabled by default and cannot be disabled.

Otherwise the two "choices" you posit are simply different sides of the same coin.

I'd wager that building forced security into a product will make it less desirable and less likely to be sold. In that case, security is decreased not increased.

The way to sell security is to make it the possible loss as opposed to the certain loss (as described by prospect theory.) There are a number of ways to do this - the sure loss of fines from non-compliant audit findings - the sure loss of good will due to the inevitable breakin that occurs because you did not have security in place - the sure loss of money from a lawsuit because you didn't perform due diligence WRT security - etc., etc.

Selling "built-in" security versus "bolt on" security as a "solution" is the same snake-oil that's frequently used to sell security now. It's merely lipstick on a pig.

LonMay 26, 2008 2:24 PM

While I don't really want to argue with something that I fundamentally agree with, I do find the presentation here a bit flawed. It seems to me that there are really two different effects involved, although they are related.

The one point is that utility theory makes the simplifying assumption that "personal value" is the same as "monetary value". All dollars may be the same, but clearly they have decreasing worth as one gets more of them. To change the parameters slightly, I would take a certain 10 million dollars over a 90% chance at 20 million dollars. Conversely, I would take a 90% chance of losing 20 million dollars over a certainty of losing 10 million dollars. There is no need for any complex psychological analysis or delving into my hunter-gatherer ancestry to see why. These are coldly rational decisions, or as much so as any human decisions can be. I am not rich. The utility of 10 million dollars (financial security) is obvious. An extra 10 million provides only marginal benefits. I'm not going to risk the large gain for small benefits. And the difference between being 10 million dollars in debt and 20 million dollars in debt is virtually nil.

So when traditional utility theory equates "value" with a simple number ("expected monetary value"), its simplifying assumption is plainly wrong in many cases. This goes a long way in explaining the "bird in the hand" and "live to fight another day" results. Using smaller amounts of money changes the result, of course. At some point, hopefully the right one, I will switch over to using the expected numeric return.

The second point is that when confronted with choices, people need to make value decisions. Since there is no simple way to do this, we use heuristics, are influenced by the framing of the question, and aren't always rational or even consistent. And there are marked biases that can be observed and that should be taken into account when making policy.

I think think that making the distinction between these cases is important. To what degree are our security decisions "rational" but perhaps in disagreement with the "obvious" conclusions drawn from numbers (in which case the security vendors are trying to get us to act against our own best interests)? And to what degree are our decisions in error (in which case the vendors are just trying to re-frame the issues so that we see them in the "proper" light)? And how does your proposal fare compared to the status quo (or other proposals) as regards to "real" value?

Actually, I don't think that this fundamentally changes any of your conclusions (and I believe, although you never explicitly said so here, that your opinion is more like "this is what is happening, don't miss the boat" than "this is what we should do"). But making this distinction does change the analysis.

Dave BerryMay 26, 2008 2:40 PM

At least some of the safety and security features in your car and your house are required by law. It's worth remembering that regulation can work.

SteveJMay 26, 2008 6:04 PM

"People are reluctant to buy insurance"

Quite right too.

The fact that the insurance company has to meet its overheads and make a profit means that (unless you know something they don't), insurance is *always* more expensive than its expected benefit to the customer.

So if people simply conform to von Neumann's "expected utility" hypothesis, they will not buy insurance. If they're more risk-seeking than that with respect to losses, as Prospect Theory predicts, then they won't even buy discounted insurance.

In practice, there are certain losses you simply can't afford (perhaps your house burning down, or the only wage-earner in a family dying), so it is very sensible to be risk-averse with respect to those losses, and insure them.

For losses which you can afford (for example property with value not exceeding your liquid assets), insurance is irrational unless you value "peace of mind" (which is another way of saying that you're in the 20% minority which is risk-averse with respect to loss). Over your lifetime you will suffer a number of small losses, and the book is that you'd save money by cancelling all your insurance and extended warranties on small items and sticking the money in a savings account which you use to pay for replacements if they're lost, damaged, stolen, or break.

None of the above necessarily applies to security measures in general, of course, since it's perfectly possible from them to be cheaper than their expected benefit. Insurance in particular, though, isn't.

blink4blogMay 26, 2008 10:11 PM

Very interesting and informative article. Personally I think the risk to gain something is the ultimate factor that most people will consider as the "need" to have something and give out some "risk" to trade. When there is no need, there is no supply, hence I believe there could be possibilities that security firm "creates" some "needs" so that their supply will goes. Does this apply to 9/11 incident as well? Sacrifice some to take a country?

Frater PlotterMay 26, 2008 11:33 PM

> The strong way to sell security is to build it into the product and not sell it separately AT ALL.
> It should be inherent in a product that otherwise offers useful advantages.

One problem with this approach is that people who are used to paying extra for security may be suspicious of a system that does not require add-on security. Or they may be so used to paying the extra cost of add-on security that they do not recognize the savings that come with using a system that doesn't need it.

For instance consider computing platforms. On Windows one expects to pay extra for antivirus and antispyware software. On Linux or Mac, these are unneeded and uncommon because these threats are nearly unknown on the platform, or are defended against with more systemic security features. But a user who does not recognize this difference will fail to adjust their estimates of platform cost accordingly.

Davi OttenheimerMay 27, 2008 2:44 AM

Er, I totally disagree. Aside from the fact that successful sales people often avoid trudging into a purely logical conversation (e.g. social and emotive connections are more effective) I know millions of people who do buy security separately.

How do you account for the success of helmets and armor, for example? They are not part of the bicycle, ski, snowboard, motorcycle, car, etc. and yet they sell quite well. Likewise, when you talk about a "tuner" or a "racer" crowd you find people buying things separately rather than as a package.

What you have identified is a preference among buyers (that includes many executives) for a "package" deal. Those who understand something the least want it bundled, as well as those who like to negotiate prices. Others have numerous reasons why they prefer to buy security separately, including more flexible options such as technical integration, style/customization...

BacopaMay 27, 2008 10:08 AM

A professor told me that prospect theory can be used to make (or at least not lose) money at the track. You just have to bet on a number of races on the same day in a way that is counter how Prospect Theory makes people bet.

I won't say what that strategy is. I don't want yall showing up at the track the same day I do.

Paul HarrisonMay 27, 2008 5:33 PM

Money is not utility.

Evolution can also be understood in terms of utility.

The effects here can be explained by a sufficiently wobbly mapping between money and utility.

G. VandenbrandenMay 28, 2008 4:23 AM

"Security shouldn't be a separate policy for employees to follow but part of overall IT policy"

Leave out the other 'evil' word : IT.

"Security shouldn't be a separate policy for employees to follow but part of overall (corporate) policy"

There are three key elements in implementing proper security : Integration, integration and integration.

Why 3 times : Integrate with corporate culture, integrate with corporate processes and integrate with corporate (IT) Tools.

Yet another example of the much used PPT-triad.

TomMay 29, 2008 9:22 AM

An interesting idea is to combine both. The security product that you buy leading to a reduction in the insurance you pay. This obviously tries to use the security to secure small guaranteed gains in another area. Both Car and Home insurers typically offer this. The (million dollar) question is, how to leverage the model in computer security?

Amey PalyekarMay 29, 2008 10:10 AM

Whatever be it, yes or no, the moral is rightly accepted.....
Security should be part of a whole product or policies and should not be delivered as a sole entity, so as to gain wide acceptance early and rightly.

RandyMay 30, 2008 11:47 AM

> The strong way to sell security is to build it into the product and not sell it separately AT ALL.

The real issue is how to hook a product into the other products to deliver the service, and how that is secured end-to-end. Product A - High Security, product B - High Security, exchange data and this is where it gets interesting, this is where people make decisions that take a high secure product and expose the data via insecure mechanisms.

It is common that we need multiple products to deliver a service. The security posture of the service is measured by the weakest link in the service. I can by a Fort Knox product and deliver data to it via a Geo Metro and any decent adversary will attack the Metro and gain what they need.

Security can and should be integrated into products. But security is measured at the level of the systems that interact to deliver a service. So demand all you can from your vendors, but be prepared to understand the threats and vulnerabilities to design a system that meets the security requirements.

SteveMay 31, 2008 6:27 PM

Although the application of prospect theory to the security purchasing decision is interesting, I think that a lot of the issues can be explained more effectively without appealing to a particular model of decision making.

Several of the issues have been mentioned in other comments, but a very important one has gone unrecognized. What security people are rarely able to quantify, but gives the exec hives, is the that there are potentially large, ongoing opportunity costs in this model. That is, every change to the well-designed system requires a thorough security audit, which causes delays in implementation and possibly missing a market window. The incentive to say, "Let me just get this revenue-enhancing feature in, then we talk about security" is irresistable. Not to mention that securing a whole existing corporate IT infrastructure is a dauntingly large task when you realize that the client will likely demand changes with security implications every time you think you've reached a milestone. Switching costs for existing organizations are huge.

Another issue is a lack of powerful advocates. Because security is an emergent property of a system, managers at every level below the one responsible for the whole system have an incentive to achieve the minimum level of security that allows them to say "I'm not the weak link", then go on to concentrate effort on things that give plusses in their performance reviews. On the other hand, at the level where security does emerge as an issue where returns are more or less proportionate to increased effort, the responsible executive is less likely to have the security expertise, and more likely to have a lot of other priorities to distract them from ongoing maintenance of security. Organizationally, investment in system security is likely to have few strong advocates internally. This means that the outside salesman is going to have a very hard sell.

Of course, built-in security is part of the solution to this complex of problems, but it seems to me that it's a lot easier said than done in today's environment. Take Microsoft Windows as the classic example: Microsoft has control over a much larger scope of the whole system than any other vendor, yet has failed signally at delivering built-in security. Instead we have a large industry aimed specifically at securing Windows installations.

infosecJune 1, 2008 2:13 AM

In case your car has no protection from a burglary, you can loose it. The risk is real an the loss is visual and obvious.

However, if your computer has no security in place, you can be owned, but it is not a visual threat, but rather "virtual".

To sell security to people with no technical background, there should be someone to demonstrate and make the potential risks obvious and "visible".

On a country level, local government can initiate "Secure network infrastructure" project involving ISPs to (1) detect and block infected computers automatically, at the same time with (2) providing applicable means to secure computers to eliminate possibility of (1) ever happening. Until now, end users are trying to cope with security issues quite alone, with no help of any kind.

Ade McCormackJune 1, 2008 8:51 AM

A very interesting piece. Selling security solutions is a little like selling fridge lights in that the user value doesn't really come from the item purchased. Thus those selling infrastructure, whether it be security software or router hardware need to bundle it up in something that is intrinsically useful to the buyer. Why security firms bother with marketing and direct sales is a mystery to me. They need to focus their attention on channel relationships with value adding resellers.

But security bundled into a technology solution is not enough. Security is largely about users and not technology. The value adding vendors need to offer a security framework that embraces policy if they are truly interested in meeting the needs of the customer. Not easy to deliver, but not impossible.

Andy DJune 2, 2008 6:22 AM

->And two, a sure loss is worse than a chance at a greater loss, or "Run away and live to fight another day."

it seems to me that these are opposites. running away is the sure loss, staying and fighting is the chance of a greater loss i.e. getting eaten/killed etc.

RandyJune 9, 2008 6:32 PM

The question we need to ask ourselves is... Why do Fortune 500 companies invest in cyber-security?

"security + efficiency = competitiveness"

How competitive does a business choose to be? As hard as this is for small businesses to "chew and swallow" the fact remains that every business has a unique set or business rules that dictate the kind and amount of technology that best suits each business. Security concerns are a "financial risk" issue. Time, money, resources, etc.

There is simply no way feasible that "adequate security" can be built inside each information technology product produced. Safety, yes ... security, no.

Neil WeicherJune 15, 2008 8:13 AM

Like others in the industry, we've been contemplating this for years. The problem with the vendors incorporating security into their products is that it takes an enormous amount of time for them to do that. Feature changes (as opposed to "fixes") come slowly. Witness even the amount of time it takes to convince auto manufacturers to include new safety features.

Should homebuilders include insurance when they build and sell a home? Even if they did, they would not construct their own policy: they would include a selection of different options provided by an insurance agent.

The current situation may not be the optimal. However, expecting the vendors to take care of it has been talked about - unsuccessfully - for so many years, that there must be something fundamentally unworkable about it.

DWreckJune 16, 2008 9:37 AM

The only "sell" for Information Security is compliance. It's a simple as that. Companies will only do what they HAVE to for IT security, whether or not security is built-in to all products and processes. Also, you dont have easy RIF targets if you don't have a seperate IT Security team.

Simon SJune 29, 2008 1:15 AM

I'm an anaesthetic doctor in the UK and see this Prospect Theory frequently in action in management.

Management are often happy to have reduced emergency teams because they feel the risk of patient death or permanent harm is small enough to be acceptable in managing their budgets.

Although the financial cost would be enormous, it's easier to balance the books by ignoring (never mind the human cost).

Anaesthesiologists though are trained to buck this trend - we worry about the rarest of complications and base our gassing around it. Of course, management would rather we didn't it as it's very expensive.

Mmmm... cracking article.

marioAugust 6, 2008 6:42 AM

@Randy + @s: The strong way to sell security is to build it into the product and not sell it separately AT ALL.


I feel that this comment addresses 2 opposite groups, vendor and buyer, with the same argument: Vendors should make their products just REALLY GOOD. But that claim is also like shooting into the middle between two targets - in order to miss everyone ... And also even if I find that claim right and agree, I wonder why only "s" considered: To build security - standalone or into a product doesnt matter - you need EXTRA manpower, extra time and effort to make your product secure. Security creates more maintainance effort for your customers as well .... Customers buy features, functions and "utilities", they tend to avoid : extra cost and effort.

I believe there are two problems resulting from that: Security is not a feature, it is an effort, thats a problem. And if an expert claims that this effort is vital, it does not neccessarily convince the non-experts. Or maybe it convinces them a little, ... but how much? The decission on _how_ vital security really is in a particular case will be made based on monetary units. It will not be based on the degree of technical elegance which only experts can see. But security seems to me pretty much a domain of experts, whereas the non-experts are the ones that dont want to take effort for their protection. Different from a regular insurance, computer security requires technical expertise to be seen and it is not intuitive! Thats the second problem.

But security is not only about software development, I see it much more about user education and configuring your boxes properly instead of "plug & play". The plain existence of a feature first of all increases the price. If security is blindly included and sold to people without security awareness, this remains useless and expensive!! You wont sell security or a secured product to people without security awareness. You have to start from here: Create awareness first.

Expecting vendors to put extra effort and sell the result for the same price is not realistic, increasing the price accordingly for addons that where not ordered creates a much more visible risk on the other side of the table: Vendors will lose customers or profit! Making security optional but more expensive seems the only way, but vendors will have to reason the higher price.

If you expect to get the same feature/box, but with security built in for free, then you are just not accepting that it is still an add on to pure todays surrival (like an insurance) and that you will always have to pay for the extras ... Humans have that option of buying an insurance, Bruce's lions don't, so our live is still calculatable and good (how calculatable it is: please mail me any reasonable equation!!!). But claiming that "security has to be built-in like every car comes with brakes" is just not what ambitious cost-control freaks want to hear while driving full speed to profit ... I am not talking neccessarily about a user who buys one (un)secured product in a store, I talk about corporate security now and where security becomes a question with very many different possible answers. Try to convince a company not to earn more money, but to buy an insurance instead!
Unfortunately, clients still see security as an extra, not as a "production feature" itself and not as a needed company to every new feature they implement .... they are not "aware" and people plug in their wifi with WEP keys, they think their wife's name is a brilliant password because easy to remember, ... or in corporate scale: They think a fence of expensive firewalls and corresponding O&M training for some staff will save them from all evil because thats what they understood from the Check Point marketing brochure ... I have seen really big networks, where thousands where spent in firewall security while someone from another department plugs another cable just bypassing the FWs and rather use "direct connection because thats easier" .... security as a label on a box only, thousands of dollars burned by one poor fool who just didnt (want to) know better. ... Without aware and educated users, you cant make it work. Creating this awareness takes a lot of time and patience.

By my opinion: To sell security products or service quickly and without a lot of educational prework, the approach is a really radical confrontation with worst case scenarios. While you can imagine what a flood or forrest-fire does to your house (and you might still built another one, with or without insurance), you better do not try to imagine what is the worst that can happen once a real shark has control over your network! What if that network is not just for company email and supporting your products, but if the network and the services behind it actually ARE your product: TelCo operators like Vodafone or TMO, ISPs ... THAT worst-case scenario is left to people with sometimes very weird motivation and it might not stop with what YOU thought is worst possible! Imagine: What if a guy gets into the charging system of a big TelCo like AT&T, ... and he doesn't care for minor issues like phone bills or 500$ fraud. Much more, he might post the billing data or subscribers connection logs on a server in e.g. Caucasia or Kajachistan? He might find out that certain well known people visit - lets say "unethical/unsober" - internet sites and highlight that extra? He might blackmail those people or even the TelCo? Reputational damage due to incidents and/or outages, legal problems for not protecting other people data sufficiently, direct monetary loss by losing subscribers or service availability, ... you've got the full range of potential damages in that TelCo operator environment. Not just weird ...it is suicidal tendency to not try to secure the system to the max! Users and shareholders have to understand the extra expenses, please. Security and related extra efforts/cost are just like that road-construction in front of the traffic jam every morning: Neccessary evil, sorry for inconvenience! If no construction => tomorrow no more road! Better slow than trapped and stuck! People may be sicker and more nasty than we imagine, to keep them off, you gotta pay the bodyguard.
An approach to "scare people into security" is not how I feel about it in the heart, but that - by my experience - is the best way to sell an extra that does not directly fit into the ROI equation ... Just show, that the equation shows damage rather than win under certain (avoidable) conditions! Chosing the right wording in a sales talk remains difficult, since you try to make them imagine their worst nightmare.

That is my way, and I admit it is anything but not nice and elegant. A good and elegant way would be: Speak their language and put the security parameter into their ROI equation, educate and teach them, make them understand the risk and accept the logical consequence (i.e. their shareholders would act unpleased if it gets clear there is no insurance!) Security from a technical point of view is understandable for "us" as engineers, but security risk analysis and an understandable quantification of security risks to wich non-tech managers love to listen is more complicated... I haven't seen anything until today, that I understood as "intuitively good" regarding computer security risk analysis.

It shurely doesn not need to be that detailed, that it says e.g. "MD5 = risk 100k$, SHA = risk 80k$, no authentication, risk = 820k$". But as a deep-in-the-heart technical guy, I would love to see something more than "likely event of high damage potential" vs. "unlikely event of extremely high damage potential" .... How to reasonably explain what can happen without physics and a good model to estimate risks ?
Maybe i missed the right articles, but if someone has info about really reasonable security analysis methods, I would be happy to hear where to get that ...

B.t.w: I have not a single insurance besides health and car ... but my laptop shows "shields up" respectable! It's a topic of awareness ... but for what.

Jerome BailenFebruary 23, 2010 2:09 PM

I have CA security and MacCaffy security on my home lap top. I receive a occasional pop-up(small white rectangle that merely says: "your computer has no security". Nothing else. eg. website address, etc.
Cox cable rep told me it sounds like a trojan pop-up. What can I do?
Thank you for your time in this matter.

Jerome BailenFebruary 23, 2010 2:12 PM

Sorry, regarding my abve pop-up security issue: contact me at jeromebailen@hotmail.com
Thank you

BrianFebruary 26, 2011 12:59 AM

Selling Fear is not the right approach. Why guilt someone into makeing a decision they wouldn't make otherwise. Distance yourself from these people. Surround yourself with leaders who understand the need to build security in.

mahendraAugust 8, 2011 2:38 PM

The article was awesome and it helped me a lot in getting understand the phenomenon of security selling and the examples quoted here was great and I am sure that everyone should apply these concepts in his selling skills whether its a insurance product or security system, I hope this will help me a lot in my interview.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..