Amrit has an article up now in which he christens the term “Fear Factor Marketing”, which I find hilarious. From the article:

The screaming headlines have been running for years. Whether they’re in press releases about cybercrime exceeding international drug profits or the billions of dollars lost to breach disclosures or videos highlighting the meltdown of power generators due to a myriad of vulnerabilities, the anti-malware industry has long relied on fear to move their products…

Amrit then goes on to say that he believes that the commodification of security features will eventually force less reliance on FUD and lead to a stronger bargaining position for those on the buying side of the table. While I agree (as long as the rate of innovation in the market remains at the current rate or lower), I do think there is a more effective method you can use to remove emotion from the buying equation right now.

WHY YOU BUY THINGS

It’s common knowledge that people buy on emotion, and then provide rational justification to reinforce the emotion. It’s like this in real life for me. I don’t need to upgrade my computers to Leopard or Vista, I’ve been doing my work on Tiger and XP just fine for years now. Why upgrade? Because ITS FREAKIN COOL, that’s why. I’m upgrading because of emotion. Increased security or productivity features or whatever are simply justifications.

The InfoSec market has been playing the same game now for ages. Things are sold to you because you fear getting hacked, or being “non-compliant” with some paternalistic prescription of your purchasing budget, or because that’s what Smart Pundit(tm) says you should be buying.

ON AVOIDING EMOTION AS A BUYING MOTIVATOR

The key to avoiding buying based on emotion is to have a rational approach. Easy enough. But unfortunately we’ve been trained to buy on emotion, and then justify that emotional response with some perverted logic. So the next time someone is trying to scare you into opening your checkbook - how do we know if we’re just perverting our logic to buy based on feeling or not?

The answer is to use a system or framework that can be objectively applied, regardless of vendor or technology, to examine the worth of a product or technology to you. Not the obligatory case study, not to protect from some projected aggregate industry loss amount or increase in attack numbers, but worth to your specific environment.

USING A RATIONAL APPROACH

You’ll remember that the only metrics we’re concerned with are:

• Reducing Risk
• Reducing Loss
• Creating Operational Efficiencies

Now for purchasing a product, Loss Reduction metrics don’t apply (Loss Reduction is proven when we compare loss in a current incident with a past similar incident). But the other two are key.

OPERATIONAL EFFICIENCIES

Will the product allow you to do the same or more with less over its lifetime? Then buy it!

RISK REDUCTION

Ah, the key. You’ll recall that one of the arguments made against “risk management” is that you’re going to just buy the same things as everybody else anyway. Ummm, if you have an unlimited budget and are lazy, maybe.

If you choose not to just buy what’s thrust upon you from the floor of the last trade show, you can match the probable reduction in loss event frequency and impact with your risk tolerance, and see if the new technology really makes sense given resource limitations (budget/human costs of aquisition). You can even go so far as to compare how a product will reduce the frequency or impact of probable loss versus the status quo, similar products, or alternative mitigation strategies - you’ll have a rational reasons to buy or not buy.

Remember, it’s not just about risk reduction qualities - it’s about how much risk reduction compared to expenditure, and your tolerance for risk.

Risk can be used to determine if an investment is worth the time and effort in reducing risk.

THE NAMES HAVE BEEN CHANGED TO PROTECT THE INNOCENT

A few years back when DLP products were first on the market, they were very, very expensive. And all the rich kids with Fortune 500 budgets were buying them. Part of this success was because the vendors had a really great sales trick. They would put the box down in your environment for a month, and then at the end of the trial period, they would show you all the confidential information that was going across your wire. Common Practices and paranoia dictate that this information going out unencrypted was a bad, bad thing. In fact, legend has it that a particular vendor had never lost a sale using this trick.

Until they got to a risk aware (FAIR using) organization. You see, this organization had plenty of visibility and compliance concerns. And like all the other companies before them, they had lots of Data Leakage to see at the end of their 30 day trial. But something didn’t add up right:

If they were leaking all this data, where were all the incidents?

You see, they understood that frequency was part of the equation. And they hadn’t removed any controls recently, so this leakage had to have been happening for years. So where was all the risk? The answer, as it turns out, is that the risk just wasn’t as great as you would think it would be, and certainly not enough to warrant the price tag the DLP vendor expected (and had received from dozens of similar organizations).

So the vendor finally lost a sale.

Now this was back when these things costs millions of dollars to large organizations. Since then, market pressures have dropped the price to something more reasonable, (1/10th of the cost) and the organization finally bought one (price, tolerance, and risk now make sense). But the point is that the CISO didn’t pull the emergency stop chord, expend massive amounts of budget and political resources, and buy herself a multi-milllion dollar DLP installation just because of FUD, or peer pressure.

Fear didn’t work. Risk did.

So take heart Amrit, the End of the Fear Factor is in sight, and it’s available now if you are willing to use it.

Posted on November 13