Chasing fear

The average expenditure on information security is still on the rise, although the rate of increase is slowing, according to the 2008 BERR information security breaches survey.

Despite very public high-profile information security failures regularly making headlines, large companies are not allocating any more of their IT budgets to security.

I recently met with Proofpoint MD, David Stanley, who maintains that despite various reports to the contrary, he’s yet to meet a client whose infosec budget has not been reduced.

Information security media coverage is at its highest, and sales teams within the industry are lapping up the hype, and using publicised breaches as selling tools. They verbally re-invent the product they’re selling to suit the latest headline.

The scare-mongering tactic works; it’s unethical, but it works because it’s stoking fear – and fear often overrides human ability to make a logical decision; we’re overcome by the need to obliterate that fear, and it’s this vulnerability that keeps many security and insurance companies in business.

At the same time, fear is also what a CSO may use to convince senior management to invest in security, or what IT teams may use to convince employees to read and comply with the company’s information security policy.

Let’s face it, no matter how attractive the packaging, no matter how well tested and proven the infosec product, nobody actively wants to spend money on security.
We want to buy something we want, not a defence against something we want to avoid.

In a psychological study that Bruce Schneier calls the ‘Prospect theory’ (http://tinyurl.com/6kyz56), he draws the conclusion that humans tend to be risk-averse when it comes to gain, and risk-seeking when it comes to loss. If this is an accurate observation, it might explain why information security is such a hard sell.
Investing in a security product is a small, but certain, loss. A security breach is a large, but perhaps unlikely, loss. It would seem, from the relentless news of security breaches that many organisations, true to Schneier’s word, are taking the risk and opting for the uncertain big loss, over the small but guaranteed loss.

The problem with this theory is that it assumes that investing in a security product is a ‘small but certain loss’, which isn’t necessarily the case. Despite ‘return on investment’ being an over-used marketing phrase, the tangible meaning is important; if a security product prevents an attack or breach from happening, thus saving the organisation (potentially) millions, it can no longer be deemed a loss.

The BERR survey reports that reputation is one of the most important drivers of infosec expenditure, with energy, not-for-profit and professional services sectors most concerned about reputation, and the government, ironically and evidently, least concerned.

Perhaps the incident that saw ‘top secret’ Iraq and al-Qaeda documents left on a train by a civil servant might make government re-think its priorities. I won’t be holding my breath.

The public’s understanding of the need for information security is certainly deepening, due to a widespread fear that ‘it might be my data that’s lost’. And maybe that’s the secret to selling security; making it mean something to the person you’re selling to.
Security is fundamentally about avoiding a negative, therefore you can never ignore the cognitive bias embedded so deeply in the human brain. Understanding the psychology of this however, gives us a better chance of understanding it.

Of course, even if investments are made in technology, and all the right defences are put into place, this doesn’t completely obliterate the risks. Human error, for example, can undo all the good in one simple act of stupidity.

Information security may be a hard sell, but it’s a necessity for businesses, and increasingly, for individuals. The need for security will never disappear – and sad may that be, it’s what keeps us in our jobs.

Take care,

Eleanor Dallaway
Editor