Why We Need Fear to Sell Security

[steven36]

We need fear to sell security. We NEED it. If we didn’t make people scared of the threats, then cybersecurity as an industry would end. But what if we didn’t need it?

The antiperspirant and deodorant industry doesn’t need to remind us that people can stink. We notice.

And if you’re one of those people who thinks, “that’s crazy, people don’t stink and antiperspirant is based on cosmetics FUD!” and so you don’t wear it, well then I think then it was you I stood next in the elevator this afternoon, and I can tell you I noticed.

EVERYBODY noticed. We even talked about you after you left and we didn’t even know each other. We bonded over your stink.

Without the fear, I think security would still persist, and it might be much more interesting to pursue as a career. Getting rid of the “fear selling” would usher in the wave of security that has been sitting for years on the sidelines like the introverted, middle child.

Yes, we’d finally be fixing the things that matter. Imagine having all of the security toys and none of the paranoia.

The perceptions vary, but for the most part the security industry has mainly focused on selling fear. The biggest focus has been on cyber attacks, malware, and vulnerabilities which may be exploited for various outcomes as the center point of the “what are you afraid of today?” campaign.

The stars of fear theater here are hackers and criminal organizations. But terrorists, or rather, nation-states hunting terrorists, are soon to replace them.

Another underlying fear facet of security is privacy. This may have something to do with vulnerabilities, implementation weaknesses, or good intentions gone wrong.

More than likely however, privacy concerns will come from other problems such as unethical practices, a manipulation or abuse of laws and law enforcement, lack of accountability, or the company gets sold for parts.

The much-needed new laws in privacy – and the not-so-much-needed new laws in take-away-your-privacy-for national-security that are falling into place have most recently – caused a flurry of security services and products based on privacy protection. And businesses eat it up.

Why? Because to operate in some way illegally, intentioned or not, is a major fear in-and-of itself for legitimate businesses who don’t have a gaggle of lawyers at their beck and call.

But privacy also has many real boogeymen to count in its X-files existence that should be more fear-inducing, like online mobbing/vigilantism, search and detainment laws, collected metadata, insecure electronic record storage, and people who upload pictures and videos of someone doing something not illegal that’s their own damn business.

Go back and re-read that list with the X-files theme song in your head and you’ll see what I mean. Yet, most people don’t care enough about those things since they’re not about them. And that’s because of the fear.

The things that are scary just aren’t scary enough because the masses are tricked into being so afraid of the stuff that someone is conveniently selling solutions for – like malware.

Everyone freaks out over malware. I get it, malware infections suck and can be nasty to deal with. As a matter of fact, “one virus found recently in the wild can change the voltage on your computer and electrocute you when you push the On button,” according to some guy whose kid goes to school with my kid, so he thinks he can just talk to me.

And this scares the hell out of him. What if he finds his kids are dead because they turned on the computer (and apparently were standing in a bucket of water together when doing so).

So he’s pushing everyone to buy some brand of antivirus that he has because it catches even transmuted (his word, not mine) viruses. And since he’s had it, his Internet connection is much faster.

I told him I wondered why the Internet was faster everywhere, but it must be because he installed it. He just nodded, because he didn’t get it.

Now, he’s a victim of Fear, so I shouldn’t have picked on him. At the very least you gotta love his enthusiasm. I mean, I’m pretty unapproachable, so it had to take some energy to talk to me.

But it got me thinking, wouldn’t it be better if – with that same level of energy – he informed everyone about the things to really fear that will only change with new social shifts or practical legislation? Like real protection for healthcare records?

Because, what sucks more than malware is having your medical records stolen or leaked, which are listing your real infections. Or the mole you got that you’re getting tested because why would someone hire you if you’re about to be out on medical leave?

Or why not fire you now when later it’ll be harder when you’re out on medical leave. That’s a much scarier issue.

The thing about Fear is that it pushes the extremes. For example, and I’m summarizing this from a very real malware detection solution website (no kidding!):

We should fear malware because 1. it’s not noticeable until it’s too late, 2. doesn’t just die when killed, 3. preys on the unprepared, and 4. it doesn’t discriminate.

WTF?! That makes malware sound like a monster from a slasher movie. By comparison, Freddy, Jason, and those blind things from The Descent are less scary. And that’s why selling fear is so bad for security, because it screws up the public’s priorities of what’s really scary.

Fear causes people to ignore real security and privacy issues because they’re too busy jumping at shadows.

And that’s what pushing fear gets you: People who think lurking malware – regardless of what it does – is decidedly much worse than a very real and scary “known” like third-parties losing your personal info and stuff.

So, can you sell security or privacy without fear? Of course. It’s like asking if sex toys would sell if there was no fear of disease or unwanted pregnancy. They would sell because they satisfy a need.

Yes, security and privacy solutions could satisfy many needs. They could give elite control to management, add efficiency to systems and networks by filtering out unwanted stuff, add oversight to a department or employees, enhance hiring practices, and improve decision making.

And that’s just the start. Many security and privacy tools started as just quality and management tools. Many security practices started out as quality practices in regression testing and stochastic response testing.

If you want to play along, try this little game: Ask yourself, what if there was nothing to be afraid of on the Internet, then what would security product (fill in the blank) be good for?

Just asking this question allows you to see all the facets of security which have been marginalized or ignored in order to devote an incredibly large portion of time and resources to making it with the fear.

Of course, none of that matters, because with so much fear out there you can’t possibly push the proactive benefits now without at least showing you can match your competition who’s pushing the fear aspects. Not if you want your business to survive.

So that’s why I embrace the fear-selling overlords. Because it’s impossible today to sell cybersecurity sans fear without a major social and market shift. So embrace it and love it, because we’re shotgun married to it now.

Like a hyper, caffeine-addicted, co-dependent partner, Fear’s not going away any time soon. But imagine how much better and useful the solutions could be if it did!

Source