How To Sell Security
July 25, 2008
Bruce Schneier recently posted an article on CIO.com entitled “How to Sell Security.” In it, Bruce uses Prospect Theory to assert that the most effective way to sell security is through fear, or more ethically, indirectly bundled as part of more generic offerings. Bruce as always makes solid points, but I think overlooks a key nuance — the optimal choice is to take a more *calculated* approach to risk, rather than simply give in to our natural cognitive bias toward extremes of risk adversity/acceptance.
Of course, the profession of information security has had numerous flirtations with risk quantification, and none have achieved critical mass to date (possibly with good reason). Nevertheless, it seems obvious from Bruce’s essay that unless we adopt a more methodical, quantitative approach to risk, we will be stuck trying to convince our various constituencies to choose between lesser evils (to paraphrase Bruce, a small sure loss today — the cost of a security product or service — versus an ill-defined and likely much larger loss in the future).
I think there’s a brighter future in continuing to move information risk quantification into real-world practice, rather than hoping customers perceive that security “sucks less” than the alternative. I hope to share some thoughts on a more methodical, quantitative program for information security in this space ongoing, I hope you come back frequently.
Comments
Got something to say?