commentary The main reason why we install security software, like anti-virus products, is because we're afraid of the repercussions if we don't. It's not entirely exciting, and it's more of a chore than a rewarding experience, but could this change if we made security sexy?
Security is boring. Sure, the topic seems exciting, with enigma machines, digital espionage and all sorts of spy vs. spy imagery springing to mind, but actually implementing security is a hellish job. It gets about as sexy as comparing how many bits long your encryption key is compared to the other guys', or discussing how you can represent encryption keys for multiple users as a series of coefficients in a polynomial equation. Yuck.
The average user doesn't necessarily know why two-factor authentication is important, or why installing anti-virus applications are a simple first step in defending themselves. The security industry knows this, and, realising there's a lack of education, attempts to educate in its own way. More often than not, that's through the age-old methodology of employing fear, uncertainty and doubt.
The fear is from the rising level of malware, viruses, exploits and vulnerabilities; the uncertainty from hacktivists like Anonymous and cybercriminals, like the Koobface gang, who are unpredictable and opportunistic. The doubt is from within the industry, with experts questioning whether users really are secure.
That's not to say that these threats aren't real, and that experts shouldn't continue to question each other and effectively keep themselves in check. However, such tactics, while excellent for selling security products, result in the end user being beaten into a corner and overwhelmed by the scary world of the internet.
Do they educate the user? Sure, for the short term, but what happens when, in a few months, the threats change? Can we really expect users to stay on top of the changing, evolving, impossibly hard-to-keep-up-with issues in information security? Do we really expect that they will stay fearful of these threats, having learned about them, and actually do something about it?
Fear, uncertainty and doubt don't motivate a user to maintain their security, and in some cases can create a society of scared individuals who won't adopt technology out of fear that they will be hacked. Educating the user is certainly important, but perhaps there's another way, rather than beating it into them.
Positive reinforcement trumps negative reinforcement every time; however, security is all about taking measures so something bad doesn't happen. Is it possible to make implementing security a positive thing? Could we make security sexy?
Thankfully, the industry might be making a move that way. Anti-virus vendors have been moving to take advantage of users' needs to have multiple licences for their multitude of devices and developed products, like Kaspersky One and Norton One, launched today, which provide the ability to manage just about everything under one account. Doing so is certainly helpful for users, since they don't have to keep track of several licences anymore, but the biggest benefit might come from a shift from subscription-based relationships to membership-based relationships.
Looking at it from the perspective of a car-enthusiast club, a subscription-based relationship is the equivalent of getting the monthly issue of their magazine. A membership-based relationship, however, would mean that you get the magazine, plus benefits like discounts at supporting partners, invitations to regular, subsidised events, access to technical knowledge and perhaps even a certain form of status.
Anti-virus vendors will certainly play the customer-support card as a benefit to membership, but the question is whether they will go that extra step to change their brands and become somewhat desirable in terms of benefits outside of the security sphere. Mobile carriers have been partnering with vendors to provide anti-virus products at a discounted rate, but what's to stop the situation from being turned around? Why couldn't a Kaspersky, McAfee or Symantec customer walk into a store, have their membership and status recognised and benefit from a discount on a mobile phone?
Why can't Panda Security or Kaspersky use their sponsorship with their respective Formula 1 teams to give their gold-class or elite members — those who may have held subscriptions with them for a number of years — access to premium seats or additional perks?
The idea might sound like loyalty programs for airlines, but security companies can use the same concept to their advantage. At the moment, the way that the industry is selling security software is like airlines trying to convince you to fly because you risk sinking in a boat or because cars catch fire more often. We're beginning to approach the point where security software, almost regardless of brand, is accepted as being necessary, just as everyone understands that if you want to get from Sydney to Tokyo, almost any airline will do, so long as it's on a reasonable plane.
We could continue on this path of beating users into submission out of fear — we'll eventually all need security software anyway — but that doesn't make security any more interesting or worthwhile. If we want to get people on board with a fairly boring task, such as installing security software or sitting in a flying tin can for several thousand miles, the answer is to make it sexy. Because, after all, sex sells.