Schneier points out the difference between “greed sales” and “fear sales”,

PaperJam
As well as being Chief Security Technology Officer at BT, Bruce Schneier is also the author of several books on the topics of security and cryptography with a particular, if not exclusive, focus on the IT industry, which has led The Economist to describe him as a "security guru". And when discussing security he is refreshingly candid and forthright, not dissimilar in tone to Freakonomics author Steven Levitt, while sharing with Levitt the ability to view his chosen field from an angle less ordinary. Bruce Schneier (Photo: Julien Becker)

"Security is hard to sell for two reasons, economic and psychological," he says. The industry is not necessarily logical: it is by nature complex, and as a consequence easy to get wrong. The average buyer doesn't necessarily understand the products on offer, while the industry player often cannot explain them adequately, meaning that "new companies with good ideas often end up floundering because they cannot communicate those ideas." Psychologically, security is also complicated: Schneier points out the difference between "greed sales" and "fear sales", where the former is a simple question of wanting something, while the latter is being afraid of the consequences of not having that thing.

He highlights the concepts of loss aversion and prospect theory and applies them to security, whereby people are much more amenable to avoiding losses than acquiring gains, and are risk-averse for gains, but risk-seeking for losses. As an example, when asked if they would prefer a guaranteed gain of 500 euros or to toss a coin for a gain of 1,000, the vast majority will choose the former. A similar choice, slightly adjusted, shows an interesting contrast regarding risk: faced with a straight loss of 500 euros or a coin toss for the loss of 1,000, people will nearly always choose the latter. This is where the problem for "selling" IT security lies. It is sold through fear of loss, and yet some companies attempt to turn it into a greed sale. As Schneier states, this is somewhat nonsensical: security keeps things as they are if it works properly. It brings no actual value in itself, and thus advertising campaigns portraying a return on investment by a security product are a complete fiction.

Schneier believes that "IT security takes advantage of a rare after-market for making things better." Usually, a consumer will buy a product because it is already "good", yet the IT industry seems fundamentally flawed in that the applications we buy are ostensibly not good. If they were, we wouldn't need the additional security, it would be a standard feature like, as Schneier says "brakes or airbags on a car. You don't buy a car without brakes and then get told you need to fit them afterwards." So why is security in IT like this, when it is not in other industries? Schneier does not blame the IT industry, stating that "this is an effect of how new the IT industry is: it has developed very quickly, and security was ignored in the beginning."

"Computing is becoming infrastructure. It is something taken for granted in the work place, like a desk or electricity," says Schneier. So how can the problem of security sales be addressed? Schneier believes it should not be sold as a separate entity, but included in an overall computing package. He once again brings up the example of cars, which are sold with airbags and brakes included, or houses which are sold with lockable doors. These features are expected on those products, and it should be the same with IT products. Furthermore, it seems the IT industry as a whole is coming around to this way of thinking: "now we are seeing non-security companies buying or taking over security companies. These companies are recognising that security needs to be part of what they do. Users do not necessarily have to understand what the security features do, but at the same time they like to know they are there. Thus, security should become embedded into a greed sell."

Please read full at PaperJam