Perception of Security Risk: Fear, Uncertainty, and Doubt
The expression "fear, uncertainty, and doubt" (FUD, for short) has been around for a long time. Gene Amdahl used this phrase to define the sales technique used to convince buyers to purchase "safe IBM equipment" instead of going to one of IBM's lesser-known competitors. Microsoft also has been accused of using this tactic over the years, but the most current high-profile reference to FUD is probably in the lawsuit of SCO v. IBM.
What does FUD have to do with security? Dictionary.com defines the term security in several ways, but we'll focus on these two descriptions:
- Freedom from danger, risk, etc.; safety.
- Freedom from care, anxiety, or doubt; well-founded confidence.
The first form of security is what an information security program is meant to address. Information systems can be defined as being "unsecured," so we attempt to "secure" them; that is, protect them from danger.
The second form of security is an emotional state. We may feel "insecure," so we desire a sense of security—that sort of warm, fuzzy feeling we get when we know that everything is going to be alright.
Both of these forms of security have an impact on the decisions we make as part of our information security programs, and they both actually have their place. One has real value: We actually can make our systems more secure. The other has a perceived value—when we tell the boss that the systems are secure, he can feel better about it.
The Influence of Fear
Strong emotions affect our decision-making processes. Fear can occur in varying degrees: worry, terror, fright, paranoia, horror, etc. But fear is generally caused by the known, not the unknown. Adults fear what children don't. Imagine a child who has never heard of ghosts suddenly encountering one. If he doesn't know that he should fear it, will he run away? With no experience on which to base a fearful response, he probably won't flee. This is the fearlessness of ignorance.
Fear vs. Risk
As security professionals, we know what happens when our information systems are compromised. Systems crash and fail, data is lost or stolen, the news is made public, and the organization faces a loss of reputation and revenue—and possibly even lawsuits. Much work will need to be done to recover, and many people may lose their jobs over the incident. This knowledge is sufficient to cause fear among security professionals as well as upper-level management. Unfortunately, this fear may lead to decisions based on emotion rather than risk.
There are very common security best-practices for evaluating threats to business. As security professionals, we're in the business of risk management. To understand our level of risk, we need to know the threats to our environment, the impact that a certain threat may have on the environment, and the probability of occurrence. This leads to a simple formula:
Risk = Threat × Probability
The results of our risk assessments, along with calculations like the one above, don't give us simple answers. Risk assessments are subjective, and may vary between professionals based primarily on their individual levels of knowledge and experience. The risk assessment should include input and review from key players within the organization; the system owner, system engineers, and administrators; and the security team. Their combined knowledge and experience will provide key input in determining the proper weightings for risk, threat, and probability so that a more informed decision can be made. This system tends to decrease any fears that may be associated with various risks, which is critical because fear tends to alter normal judgment and lead to rash decision-making.
In a perfect world, security product sales would be based on the product's quality, merits, and applicability to a specific need. It's easy to sell a product to someone who needs it. It's difficult or even impossible to sell that same product to someone who either isn't aware of or won't acknowledge a need. There are a couple of ways of helping someone to identify the need for a particular product:
- Education. Explain the known risks, show how the user and his systems are vulnerable, and then show how the product meets those needs. This method addresses the security of the information systems.
- Fear. The steps are similar, but with a different emphasis. After explaining the known risks, place strong emphasis on the impacts of a breach. There's plenty of news from which to draw horrific scenarios of embarrassment and destruction. This method addresses the emotional security of the potential buyer.
The ability of fear to alter our judgment makes it a powerful tool for sales:
- Buy product X to defend yourself from the latest worm, virus, Trojan, malware, etc.
- Buy product X because you don't really trust product Y.
As opposed to this more positive spin:
- Buy product X to get more customers (product X enhances your reputation).