Schneier on How to Sell Security
An insightful essay from Bruce Schneier: How to Sell Security.
He discusses the tendency for people to subjectively evaluate risk and tend toward taking greater chances with losses:
When faced with a gain, about 85 percent of people chose the sure smaller gain over the risky larger gain. But when faced with a loss, about 70 percent chose the risky larger loss over the sure smaller loss.
This is from an experiment demonstrating Prospect Theory, which interestingly predicts that people will tend to take greater risks for higher-probability losses.
Bruce talks about how this leads to a problem in the selling of security features, where people are inclined—according to prospect theory—to be increasingly risk-taking as the security threat increases. One option, which is favored in certain areas of the industry, is to fuel fear, although this approach has obvious ethical issues, and I think ultimately, damages credibility and becomes effectively counterproductive. Rather:
The better solution is not to sell security directly, but to include it as part of a more general product or service. Your car comes with safety and security features built in; they’re not sold separately. Same with your house. And it should be the same with computers and networks. Vendors need to build security into the products and services that customers actually want.