Menu
Menu
How to Sell Security

How to Sell Security

We don’t invest in information security because we’re predisposed to take the risk that nothing bad will happen. So if you want to sell security to senior management, turn it into something they’ll actually want to buy

This experiment, repeated again and again by many researchers, across ages, genders, cultures and even species, yielded the same result. Directly contradicting the traditional idea of “economic man”, Prospect Theory recognises that people have subjective values for gains and losses. We have evolved a cognitive bias: a pair of heuristics. One, a sure gain is better than a chance at a greater gain, or “A bird in the hand is worth two in the bush”. And two, a sure loss is worse than a chance at a greater loss, or “Run away and live to fight another day”. Of course, these are not rigid rules. Only a fool would take a sure $100 over a 50 per cent chance at $1,000,000. But all things being equal, we tend to be risk-adverse when it comes to gains and risk-seeking when it comes to losses.

This cognitive bias is so powerful that it can lead to logically inconsistent results. Google the “Asian Disease Experiment” for an almost surreal example. Describing the same policy choice in different ways — either as “200 lives saved out of 600” or “400 lives lost out of 600” — yields wildly different risk reactions.

Evolutionarily, the bias makes sense. It’s a better survival strategy to accept small gains rather than risk them for larger ones, and to risk larger losses rather than accept smaller losses. Lions, for example, chase young or wounded wildebeests because the investment needed to kill them is lower. Mature and healthy prey would probably be more nutritious, but there’s a risk of missing lunch entirely if it gets away. And a small meal will tide the lion over until another day. Getting through today is more important than the possibility of having food tomorrow. Similarly, it is better to risk a larger loss than to accept a smaller loss. Because animals tend to live on the razor’s edge between starvation and reproduction, any loss of food — whether small or large — can be equally bad. Because both can result in death, and the best option is to risk everything for the chance at no loss at all.

How to sell security

How does Prospect Theory explain the difficulty of selling the prevention of a security breach? It’s a choice between a small sure loss — the cost of the security product — and a large risky loss: for example, the results of an attack on one’s network. Of course there’s a lot more to the sale. The buyer has to be convinced that the product works, and he has to understand the threats against him and the risk that something bad will happen. But all things being equal, buyers would rather take the chance that the attack won’t happen than suffer the sure loss that comes from purchasing the security product.

Security sellers know this, even if they don’t understand why, and are continually trying to frame their products in positive results. That’s why you see slogans with the basic message: “We take care of security so you can focus on your business,” or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a negative sell.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments
Computerworld
ARN
Techworld
CMO