Psychology is defined quite simply as “”the science of human behaviour.”” It’s the study of the causes of what we do in everyday life. Recently I was asked to don my “”behavioral scientist”” hat and look into the marketing of security software and services and why such campaigns often seem to fail in
the face of ever-increasing security concerns.
I looked at the promotional efforts of a number of major players in the IT security business and found an interesting common thread: Most use scare tactics to sell their products. There’s apparently a hacker behind every bush and a virus in every cup of coffee. But these firms will generously sell you the antidote.
Even if they do have the “”cure””, what they fail to realize is that scare tactics rarely affect human behaviour (in this case purchasing behaviour).
For example, no matter how many vivid images you see of blackened lungs, maimed children struck down by drunk drivers, or bodies mutilated in traffic accidents, none of these will affect the frequency of smoking, drinking or seatbelt usage to any meaningful extent. This has been proven beyond any reasonable doubt in psychological research that is decades old.
There are a number of explanations for this, but a key one is people (correctly) assume that the odds of something that extreme happening to them has to be incredibly low. So they carry on with their “”normal”” behaviour.
The same thing appears to be true with the sales of IT security products, only the purchase decision is made for the corporation rather than the individual.
What’s worse, though, is that companies selling security products are misleading their potential customers with frightening anecdotes and media clippings that exaggerate security risk, instead of providing meaningful statistics.
Let’s look at a PricewaterhouseCoopers survey conducted this past spring. With more than 8,000 CEOs, CIOs, CSOs, IT VPs and directors from 62 countries, surveys don’t get much more thorough than that.
The results show IT budgets have been flat for the past couple years, and IT security spending has been flat at 11 per cent of overall IT budget. Does that sound like an increased security concern?
Furthermore, the number of security breaches was also flat year-over-year; and, more importantly, resulting losses and disruptive damages dropped in severity. Similarly, the most common attacks — malicious code, denial of service and unauthorized access — also all dropped in frequency from the previous year. Does this sound like what your IT security vendor has been telling you?
I’m not saying information and communications security shouldn’t be a concern to corporations of all sizes, but I am saying that until security vendors put a more positive spin on their marketing messages and stop misinforming their potential customers, they’ll face an uphill battle. The research shows IT managers know better, and I’m sure you’ll keep reminding the vendors of that.