I am slowly making my way through the Schneier's essays on Instapaper and found this one on the Psychology of security. If you have ever wondered why certain security projects get funded, why some decks work a lot better than others and why some arguments seem to resonate over others of equivalent merit; then psychology of security holds a lot of answers. Schneier provides the theory, research and some tricks and recommendations on using psychology to sell security; this is my take on expanding those techniques. The basis for all of this is grounded in scientific experiments, all the links to the research are in Schneier's essay.
How do you use these? You are never going to remember all of them and that's often the biggest problem with things like NLP. They are too hard to use in everyday life because they take a lot of un-natural practice before they become second nature. So I suggest that you use it as a checklist or put the key points into a mindmap. Check them before and after writing your next deck or business case. Practice often enough and you will start using them in conversations, meetings, and calls.
1. Play up spectacular risks.
Schneier: "People exaggerate spectacular but rare risks and downplay common risks." Intuitively you know this to be true. There is a far greater risk of dying in a car crash but more people are afraid of flying. At time of writing in May 2011, 9/11 was nearly 10 years ago, but it led to a massive pay day for every security agency. Even 10 years on it's power is so great that the US government was able to extend the patriot act for another four years. The massive over-reaction that meant a huge erosion of American civil liberties extended without cause all because of a spectacular risk from 10 years ago. Now you may not want to use this because it seems like FUD. Well guess what? FUD works. You can either continue an ideological objection to FUD or you can get paid. Or feed your kids, increase your reputation and influence, get that security improvement you know that really needs to be done. Whatever rocks your boat. So play up the China hackers, cyber-warfare and advanced persistent threats.
Risks from sources people do not trust seem more plausible. This is why you need to forget about that insider threat argument. It is never going to work. You want to play up the uncertainty. Detailed scenarios also increase believability. Put in gory details; really describe a scenario rather than a scattergun bullet-point approach of possible threats. That's why I love attack trees. If you do not have the numbers, as we often don't, use the fact that people tend to ignore probabilities where there is a high emotional content. Play up the emotions in your detailed scenario of Chinese hackers for maximum effectiveness. Grouping risks together for executive management is not your friend. Evaluating risks as a group makes them seem less risky. If you are only getting 5 minute slot, or one slide, prioritize and present them the most compelling, most emotional and spectacular risk scenario. Finally leverage the anchoring effect. High loss numbers like Sony 100 million records lost, or HSBC being fined $4 million for loosing 2 CD's of customer data are great for this. Write the number on a white-board they can see when they walk in. Even if you do not directly talk about it, the number is anchored in their minds. When you talk about a loss or risk this will then make them perceive it as more risky.
2. Make it personal.
If you really want that new Dataloss prevention system talk to the execs about their email being stolen, if their laptop or blackberry was hacked. What would they do there were fraudulent credit card transactions on their statement? Even for impacts like damage to the company brand, it is so much more persuasive if put in a personal context. A major incident would affect the brand and reduce long-term share price and growth which would have a significant impact on anyone with share options to vest in a few years. Kids are a great lever. We seem to have an evolutionary response against any thing that will harm kids. While logical from an evolutionary perspective, today this is often applied irrationally and can be exploited. Link your risk not just to Mr senior manager and his wallet but also his kids. We store a lot of personal data in our databases. Imagine if your kids personal data was all over the Internet?
3. Overestimation of current risks
At the time of writing this links very nicely with 1. Spectacular risks. With the high profile hacks of RSA, Sony and the Apple and Google location gate scandals there should be plenty of current events to shape to your purpose. Emotional events are even better i.e. 9/11, location and privacy issues work well for us also. This works because recent events are easier to imagine therefore more effective regardless of their actual likelihood or applicability to your company. Imagination is also a wonderful thing. Considering a particular outcome in your imagination makes you think it is more likely to occur. An outcome that is more difficult to imagine will be marked down even if you have all the numbers to back it up. You can link this with anchoring through techniques like getting your manager to imagine a malware infection on their kids computer before you make your pitch for the new IDS.
4. Overestimation of risks outside their control
Again, this is another reason for the flying vs. driving risk failure. This is why the cloud seems so scary, even though the insider threat could happen in any company. There is an illusion of control over "employees" in your own company vs. another company you contract with. Even though, especially in large companies it would be just as easy for organized crime or government to get a cleaner or temp into either. Any risk that is imposed, where they have no control always seems higher. This is another reason to play up regulation, class actions and contract breeches rather than internal policies and standards when you want to get something done.
5. Risk of large loss chosen over certain small loss
This is why you lose. The risk of a massive loss e.g. Sony now estimated at $130 million from the PSN hack, part of an overall $1.3 billion loss and untold reputational damage. I bet some poor sucker in security tried to convince them years ago that that they should patch the Apache servers or they should encrypt customer personal information. Take the certain
6. Exploit heuristics
Rules of thumb. Just the wording and re-framing an argument can make all the difference. In studies over 70% choose the positively worded outcome even when the probability is equal. So why say the chance to lose 10 million when you can present it as an opportunity to save 10 million? People tend to accept things closer to the current state. They are going to trade-off more for security they have accustomed to. This explains the success of firewall and anti-virus companies. Can you bolt on an IPS to a firewall or removable media control to your AV? Risks involving people rate higher. If you really want to sell your APT or malware threat talk about the humans that wrote and benefit from it and how they and their kids are personally affected. We evaluate small numbers well but suck at larger numbers. So use small percentages. A computer in our company, just like the one you use or your kid at home, is infected once every 2 seconds. One in every three documents, just like the board minutes for this meeting, sent out of the company is an office document.
Finally, on presenting costs in a way that increases your chances of success. People judge costs on reference. They are willing to may more for something that seems like it should be more expensive. Tiffanie's have been using this for years, why can't you? To build a world-class security to support a world class consumer experience you need to spend $X on security. Small costs are not accounted for in mental costs. Can you present your cost as a cost per user, cost per event or incident, $ per day? The framing effect. Always show the highest cost option first and the one you actually want in the middle. Time discounting - costs and benefits in future are discounted. Gains are discounted more than losses and smaller amounts are discounted more than large. Present your savings in the first year and load up your higher costs on the back end.
To sell security effectively:
- Play up spectacular risks
- Make it personal and use kids
- Use 1-3 examples of current events
- Use examples of threats outside of management control
- Present certain, current losses even if small. Aim for incremental improvements in security
- Re-frame your argument as an opportunity for gain. Bolt onto existing investments
- Present costs smartly. Use anchoring, break costs into small units, load up near term gains.
Security is the art of managing trade-offs. No matter what security role you do, you will always be selling. Do it well.