June 15, 2008

Selling Security using Prospect Theory. Or not.

Bruce Schneier writes a good essay on Prospect Theory and how this effects selling of security. The basic story is that people accept a risk-free smaller gain, but gamble with a risky larger loss; our decisions are not symmetric, and do not follow "utility" or "expected value" lines. Given that we gamble big with losses, he closes the essay with:

How does Prospect Theory explain the difficulty of selling the prevention of a security breach? It's a choice between a small sure loss -- the cost of the security product -- and a large risky loss: for example, the results of an attack on one's network. Of course there's a lot more to the sale. The buyer has to be convinced that the product works, and he has to understand the threats against him and the risk that something bad will happen. But all things being equal, buyers would rather take the chance that the attack won't happen than suffer the sure loss that comes from purchasing the security product.

Security sellers know this, even if they don't understand why, and are continually trying to frame their products in positive results. That's why you see slogans with the basic message, "We take care of security so you can focus on your business," or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a negative sell.

One solution is to stoke fear. Fear is a primal emotion, far older than our ability to calculate trade-offs. And when people are truly scared, they're willing to do almost anything to make that feeling go away; lots of other psychological research supports that. Any burglar alarm salesman will tell you that people buy only after they've been robbed, or after one of their neighbors has been robbed. And the fears stoked by 9/11, and the politics surrounding 9/11, have fueled an entire industry devoted to counterterrorism. When emotion takes over like that, people are much less likely to think rationally.

Though effective, fear mongering is not very ethical. The better solution is not to sell security directly, but to include it as part of a more general product or service. Your car comes with safety and security features built in; they're not sold separately. Same with your house. And it should be the same with computers and networks. Vendors need to build security into the products and services that customers actually want. CIOs should include security as an integral part of everything they budget for. Security shouldn't be a separate policy for employees to follow but part of overall IT policy.

Security is inherently about avoiding a negative, so you can never ignore the cognitive bias embedded so deeply in the human brain. But if you understand it, you have a better chance of overcoming it.

Using Prospect Theory here is interesting, and finance theory also has something similar to say: companies close to big losses are encouraged to gamble more.

It is also more evidence that the sellers of security do not have an advantage in selling security: buyers do not believe the messages, and only buy due to external issues. Establishing that will knock-down the 'lemons' thesis that security is a market with a seller's advantage, and suggest that it is a market in silver bullets, with no advantage.

It is also more evidence in a trend I noticed a while back but have not adequately formalised (ftr, Bruce Schneier may have spotted it first from Counterpane's recent history). What happens when the security industry collapses and is no longer an industry in its own right? Who then does security? The rest of industry, that's who: security moves back from being a specialisation captured by the enlightened few to a general skill that all need. It's your job, do it.

But, there be dragons. As is well known for a long time: if buyers do not value the security, then general purpose suppliers do not supply it. Supplying something not wanted doesn't help sales, of course, and this is what Microsoft did throughout the 80s and 90s, until the famous memo a handful of years back. So even though the security pendulum is swinging away from the dysfunctional specialist priesthood back to the generalist skilled area, we already know that we have a problem with the demand side of the equation, and that side is also dysfunctional.

Much food for thought.

Posted by iang at June 15, 2008 11:18 AM | TrackBack

how many times has the refrain been repeated about deficiency with "after market" solutions ... that it has to be built in ... not try to affix it on afterwards (aka automobile safety analogy ... things like seat belts, safety glass, air bags, bumpers, crash impact zone, etc).

however, based on the automobile analogy, there may be some evidence that it only happens with gov. mandates.

the safety/security engineers don't disappear with built in security ... but they tend to disappear from public limelight.

misc. old posts that includes raising the aftermarket seat belt analogy
http://www.garlic.com/~lynn/aadsm14.htm#32 An attack on paypal
http://www.garlic.com/~lynn/aadsm16.htm#15 Difference between TCPA-Hardware and a smart card (was: example: secure computing kernel needed)
http://www.garlic.com/~lynn/aadsm17.htm#40 The future of security
http://www.garlic.com/~lynn/aadsm17.htm#56 Question on the state of the security industry
http://www.garlic.com/~lynn/aadsm19.htm#10 Security as a "Consumer Choice" model or as a sales (SANS) model?
http://www.garlic.com/~lynn/aadsm21.htm#16 PKI too confusing to prevent phishing, part 28
http://www.garlic.com/~lynn/aadsm22.htm#28 Meccano Trojans coming to a desktop near you
http://www.garlic.com/~lynn/aadsm26.htm#64 Dr Geer goes to Washington

Posted by: Lynn Wheeler at June 15, 2008 04:16 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.