Why is fear-mongering such a popular security sales tactic?

Why is fear-mongering such a popular security sales tactic?

Summary: In one of his best columns ever, Bruce Schneier explains why some computer security companies can't help selling fear. The way we as humans respond to potential threats provides a powerful economic incentive for a security vendor to find something, anything, and then to make some noise about what it found. Not so much that you'll be annoyed, but just enough to let you know they're on the job. So how do you strike the right balance between a healthy understanding of the risks of using the Internet and bug-eyed paranoia? How many layers of security do you need?

SHARE:
TOPICS: Security
44

In this month's CIO magazine, Bruce Schneier publishes one of his best columns ever. "How to Sell Security" starts with a common-sense argument about the psychological dynamics of why and how we as humans respond to sales pitches. It ends with this astute observation about why some computer security companies can't help selling fear:

Security sellers ... are continually trying to frame their products in positive results. That's why you see slogans with the basic message, "We take care of security so you can focus on your business," or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a negative sell.

One solution is to stoke fear. Fear is a primal emotion, far older than our ability to calculate trade-offs. And when people are truly scared, they're willing to do almost anything to make that feeling go away; lots of other psychological research supports that. Any burglar alarm salesman will tell you that people buy only after they've been robbed, or after one of their neighbors has been robbed. And the fears stoked by 9/11, and the politics surrounding 9/11, have fueled an entire industry devoted to counterterrorism. When emotion takes over like that, people are much less likely to think rationally.

(Don't just settle for that small excerpt. Go read the whole thing.)

I've written about this before (see The security software industry wants you to be afraid, from February 2005), and the observation is still true. One thing Schneier doesn't mention in this essay is that this psychological reality provides a powerful economic incentive for a security vendor to find something, anything, and then to make some noise about what it found. Not so much that you'll be annoyed, but just enough to let you know they're on the job. Paradoxically, as I observed in the real-world example that inspired that earlier column, detecting a false positive can be economically more valuable than correctly ignoring it:

Joe feels good because the software told him it had protected him, even though the likelihood that this was an actual attack is microscopic. The lesson that Joe is unwittingly sending to the vendors in question is, “Give me more false positives, because the more times you tell me you’ve protected me from something, the more I’ll feel like I’ve gotten my money’s worth from your software.” If he had a better security program, it would have realized that this outgoing connection was just fine and would not have given him any warning at all.

That is just wrong. On a healthy computer with multiple layers of security, most threats should be blocked or neutralized before the user ever sees them. Getting lots of warnings is a sign that one of those layers isn’t working as well as it should. But that’s exactly the opposite of what motivates developers of security software today.

The recent research report released by Australian security vendor PC Tools, which I wrote about last week in Puncturing the myth of the invulnerable OS, is a perfect example of that technique taken to an extreme. Taken at face value, the research data led to a reasonable and fairly obvious conclusion: Windows Vista's security is much-improved over its predecessors, but it does not offer protection from every avenue of attack over a network. For that, you need a multi-layered security strategy that includes user training and accurate, up-to-date antivirus software that works as unobtrusively as possible.

The trouble, as Schneier notes, is that we humans find it difficult to buy based on that perfectly rational approach to security. Instead, we fall for the fear: "ZOMG, viruses! Trojan horses! Cookies!" That response is what allows security software companies to expand their product lines with additional products (for an additional cost, of course), and why I get e-mail and comments from people proudly listing the five separate security products they have running at all times. A couple of anti-spyware programs, antivirus software, a firewall, and invariably one extra layer of voodoo software.

That seems crazy to me. There's a big difference between a healthy understanding of the risks of using the Internet and bug-eyed paranoia. Going overboard on security seems as unwise as going out completely unprotected. Finding the right balance takes a little extra work, as Schneier notes: "[Y]ou can never ignore the cognitive bias embedded so deeply in the human brain. But if you understand it, you have a better chance of overcoming it." Exactly.

So, what are the layers in your security strategy?

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • And then they complain that Vista is slow

    [i]why I get e-mail and comments from people proudly listing the five separate security products they have running at all times. A couple of anti-spyware programs, antivirus software, a firewall, and invariably one extra layer of voodoo software.[/i]

    Gee, I wonder why an OS would be slow when every disk access and memory write has to go through 5 applications that are trying to match the bits being written to a database of hundreds of thousands of virus signatures!!

    [i]So, what are the layers in your security strategy?[/i]

    1. Firewall or, even better, a hardware NAT router. $50 and you probably need one [b]anyway[/b] if you have any wireless devices.

    2. Don't run as Administrator. I've been running XP as a restricted rights user since day 1 and 99% of all malware was coded to expect administrator rights. Without those rights, the malware doesn't fall back to any other method, it simply dies. In a funny way, I actually expect Vista to make things a little worse since malware authors will now have to find ways of infecting machines without assuming administrator rights. This makes me less safe than I was before Vista came out. :(

    3. Use some form of browser protection. I happen to like Firefox + NoScript but I believe that IE7 with Protected Mode is actually a bit safer.

    4. Last and certainly not least, use some common sense. I don't pirate software with shady cracks from shady places and I don't install attached screen savers even though my niece's email swears the dancing elves look really cool.

    Will it stop someone who wants to break into [b]my[/b] computer? Probably not but then again, no one wants to break into [b]my[/b] computer, they want to spray the room with machine gun fire and hit people who are stupid enough to stand in the way. People who get hit with viruses on Windows remind me of the Monty Python skit: how not to be seen. The first rule of not being seen is not to stand up when asked to!
    NonZealot
    • No dancing bears?

      [i]I don't pirate software with shady cracks from shady places and I don't install attached screen savers even though my niece's email swears the dancing elves look really cool. [/i]

      Ok, no dancing bears I can buy into, possibly. Same with the elves. But no Britney interactive flash? No Kournikova peek-a-boos? No VirtuaGirls deluxe screensavers? Come on now, you're pushing credulity past its breaking point!

      Perhaps you'd be interested in this really sweet HotBabes.exe screensaver I recently acquired, care of a very special friend. Of course after running it my box eventually froze up, but what the heck. It was good while it lasted! :)

      I guess I wasn't the only thing that overheated (RIP poor beast). :(
      klumper
    • This advice offers more in security than any form of...

      ...anti-malware protection. I've done these exact things since day one and have not had a single piece of malware infect my systems. Unfortunately, before Vista, to run as a non-privileged user required more technical knowledge then I expected the "average" user to have so I can't blame most people for not using a limited privilege account prior to Vista.
      ye
    • Agreed, regardless of OS

      On firewalls make sure you at least look up what ports are for and close those you aren't using.

      For example unless you're running a web server you have no need to have ports 80 or 8080 open so have them drop packets silently. Same goes for FTP. In fact, by default, close all ports then open them as you need them. This way port scans can't find you.

      Update frequently and often. Should your vendor, MS or a Linux distro or Apple say they have updates available install the damned things. Yes, MS has a dodgey record with its updates but better safe than sorry and you can always roll back if you must.

      (I find it most annoying that Vista often demands that I stop everything to do that and reboot after it's done which, in my mind, isn't a good way of encouraging that updates get installed.)

      If your wireless router has a firewall, and they all do, lock them down as well.

      There ya go.

      Even then, you're never 100% safe.

      ttfn

      John
      TtfnJohn
  • Read up on Marketing 101

    Fear is the number one method of selling anything. Sex is a close second.
    toadlife
  • Voodoo for the masses

    [i]I get e-mail and comments from people proudly listing the five separate security products they have running at all times. A couple of anti-spyware programs, antivirus software, a firewall, and invariably one extra layer of voodoo software.[/i]

    Not sure if the layered strategy of the paranoid is all that much off the mark for most home users and SOHOs, assuming it's deployed intelligently and without excessive overkill. Most peeps need something to believe in, and, when left to their own devices, are none the worse for wear with an extra blanket or two. Just ask Linus.

    Anti-virus for most folks is still probably a good idea, being that many Joes and Jills are not going to resist visiting certain black holes where these kind of infections commonly occur; nor will all steer clear of dodgy gaming sites, tempting or naughty torrents, and full throttle P2P. Outside of implementing an AIO hardware gateway solution, running something lighter than Norton or McAfee, say like NOD32, might be a suitable A-V compromise. If you're surfing and downloading habits are sensible enough, you can dispense with real-time A-V protection altogether (many of us do), and scan manually as needed. But good luck to most there! Know thyself well. Ha!

    As for anti-malware programs, again the same approach applies. No one really needs to run these kinds of progs in real time. Apps like Ad-Aware, Spybot, CCleaner, Stinger, Rootkit Revealer (et al) can be fired up manually as needed, or per regular intervals. There is no ongoing tax on a system when executed and updated manually, except for the (brief) scan times. Cheap insurance, and even cheaper peace of mind. And they're free!

    Same goes for a soft firewall, whether using the native Windows model, or an outbound monitor of choice. Egress filtering can compliment a SPI firewall like those found incorporated in many NAT routers today, that is, should anything untold - from overactive updaters to trojans or malware to, uh hum, cracked appies - attempt to "phone home" and do their thing. Not foolproof of course (certain trojans are capable of sidestepping or disabling them) and PITA to others, but helpful in many situations, and rarely much of a tax on newer machines. Their downside is obvious though: they require some degree of active management, and those often cryptic warning messages can confuse novices.

    In the end it comes down to the kind of user you are (belying what progs + practices you make use of), how safe and disciplined your browsing and >> clicking << habits are, and - correspondingly - how much overall pooter and security knowledge you possess. It's startling how many overlook applying even core security updates! Abstinence and common sense remain the best layer of protection. If YMMV ever applied to any realm of computing, it applies here.

    Voodoo software? Yeah, throw that one in for the PICNIC : Problem In Chair, Not In Computer! ;)
    klumper
  • RE: Why is fear-mongering such a popular security sales tactic?

    Because it worked for the Bush administration to get this nation to invade another sovereign nation that had nothing to do with the 9/11 attacks (and has been proven so by several people in the intel world).

    It has worked for the Bush administration to suspend habeas corpus, institute sneak and peek warrant less arrest, push the un-Patriot Act... just to name a few things.

    SO if it works for the government to dismantle the Constitution and enslave the American people... why not use it to make money off them too? ]:)
    Linux User 147560
    • so we're caught between fear mongers

      and limp wrist appeasers, like we had with Carter. I'm not enslaved are you? The worst form of slavery we have is or outrageous tax rates, and unelected bureaucrats who drop fines and fees at us under the guise of environmental protection. Talk about fear mongering we'd be energy independent if the nuclear power were adopted in this country as it is in France and Japan, and we wouldn't need to be in the middle east or be burning coal causing trillions of tons of radioactive waste as well as CO2 to be poured into the into the atmosphere.
      And it's all because of Birkenstock wearing, pin heads who use Linux,(or Macs) thanks for that, it all YOUR fault!
      marks055@...
      • Message has been deleted.

        Linux User 147560
        • Thanks

          I'm glad you realized I was pulling your leg.
          No doubt , there is no risk free energy source. The main danger of solar being it will prove utterly inadequate after billions are invested in it. Sounds like we agree on most things here(for once).
          Cheers
          marks055@...
      • One more thing...

        "[B]I'm not enslaved are you?[/B]

        To answer your question I first pose one, do you carry any credit card debt? A car payment? Any other type of debt other than a house payment?

        If you answered yes, then you are in fact delusional. Why? Because you are indebted to whomever gave you the line of credit you are on. I don' include a house payment because that is in reality an investment. But to conclude my earlier statement, if you are in debt then you are in reality an indentured servant, you are in essence enslaved until you pay off your debt.

        So to answer your question, no, I am not enslaved since I have no debt other than a house payment (my second home). Therefore I am not beholden to any corporate entity and have true freedom of choice. The ability to live a debt free life is simple and leads to a much happier life, as well as the ability to raise a family properly AND be active in government, environmental policy AND many other things.

        So until you pay your debts (because the new bankruptcy laws don't allow you to just wash it away and keep everything) you are in fact enslaved. The punishment is no longer whippings but to be fiscally screwed for a minimum of 7 years for failure to comply with your terms of enslavement. Have a nice day and remember... you chose to allow yourself to be enslaved to credit card companies all so you could have things you really don't need to survive. ]:)
        Linux User 147560
        • ...yep it's Birkenstock's

          ;-)
          ItsTheBottomLine
        • I don't consider debt I agreed to take on of my own

          free will servitude. Partially because the auto we purchased was a 0% loan, so in fact the finance company is losing that money at the rate of inflation.
          I would never consider bankruptcy so I don't care about the new law, people blame everyone but themselves for problems that are self inflicted.
          But mostly I'm not enslaved because the definition of a great country is one people die to try to get to, just ask my friend from Cuba. If you don't like the current administration you are free to say that and no one will kick your door down and disappear you. And you are free to leave, something you may consider if the tax rates ever go as high as they were say, when Carter was bungling his way through his presidency.
          So with freedom comes responsibility if you run up credit cards to the point of insanity, blame the person who stares at you in the mirror(assuming your not schizophrenic)
          marks055@...
      • LOL - I'm sorry - but that was funny LOL nt

        nt
        ItsTheBottomLine
        • LOL ROFL ZOMG LOL WTF LOL!!!

          nt
          bmerc
    • It's worked for Goverments all around the world - for centuries...

      nt
      ItsTheBottomLine
    • It's worked on all societies forever

      The Bush admin is just the latest group of hooligans pioneering in the art.
      And the American people, who after a first term of Bush's despicable actions elected him AGAIN, are evidently plain stupid.

      I admit Kerry wasn't too inspiring, but I think my dog could have done a better job than Bush and his cronies.
      tikigawd
  • My security?

    Well, I run a fully patched XP. I have Secunia PF. And on Firefox, I run FlashBlock and AdBlock+. I have been virus free for years that way.

    How do I know? On occasion, I install AVG and perform a full scan to double check things. But otherwise, I run without other protections, because I am very careful where I go online and what emails I interact with. I generally avoid the current threat vectors by limiting what I do and where I go.

    One of the reasons for my choices here is financial. I can't afford (or more accurately am unwilling to afford a faster machine right now). Every time an app updates (including the OS) it typically requires more RAM and more CPU. That's fine, I understand they are writing for faster computers and such, but that weight is slowly crushing my system. So, for the sake of performance, I have been switching to lightweight apps like FoxitReader. I have been extracting unnecessary software and keeping what I have installed patched (via Scunia PSI).

    My two cents.
    mtgarden
  • RE: Why is fear-mongering such a popular security sales tactic?

    It works for the President...why wouldn't the business community try it?
    IT_Guy_z
    • lol

      [i]It works for the President...why wouldn't the business community try it?[/i]

      That's funny.... sad and true, all at the same time.
      Badgered