Selling security not always easy

Bruce Schneier advises on getting management interested

There are two basic ways to sell something. Either a product gives the buyer something he or she wants — satisfaction, comfort or money — or it stops that person being subject to something he or she doesn't want: assault, fraud, burglary or a terrorist attack.

It's a truism in sales that it's easier to sell someone something he or she wants than something that person wants to avoid. People are reluctant to buy insurance or home security devices, or computer security anything. It's not that people don't ever buy these things, but it's an uphill struggle to sell such to them.

The reason is psychological. And it's the same dynamic whether it's a security vendor trying to sell its products or services; a CIO trying to convince senior management to invest in security or a security officer trying to implement a security policy with the company's employees.

It's also true that the better you understand your buyer, the better you can sell.

Why we’re willing to take risks

First, a bit about Prospect Theory, this is the underlying theory behind the newly popular field of behavioural economics. Prospect Theory was developed by Daniel Kahneman and Amos Tversky in 1979. Kahneman went on to win a Nobel Prize for this and other similar work. Prospect Theory explains how people make trade-offs that involve risk. Before this work, economists had a model of “economic man”, a rational being who makes trade-offs based on some logical calculation. Kahneman and Tversky showed that real people are far more subtle and ornery than this.

Here's an experiment that illustrates Prospect Theory. Take a roomful of subjects and divide them into two groups. Ask one group to choose between these two alternatives: a sure gain of $500 and a 50% chance of gaining $1,000. Ask the other group to choose between these two alternatives: a sure loss of $500 and a 50% chance of losing $1,000.

These two trade-offs are very similar and traditional economics predicts that the whether you're contemplating a gain or a loss doesn't make any difference: people make trade-offs based on a straightforward calculation of the relative outcome. Some people prefer sure things and others prefer to take chances. Whether the outcome is a gain or a loss doesn't affect the mathematics and therefore shouldn't affect the results. This is traditional economics and it's called Utility Theory.

But Kahneman's and Tversky's experiments contradicted Utility Theory. When faced with a gain about 85% of people chose the sure smaller gain over the risky larger gain. But, when faced with a loss, about 70% chose the risky larger loss over the sure smaller loss.

This experiment, repeated again and again by many researchers, across ages, genders, cultures and even species, rocked economics and always yielded the same result. Directly contradicting the traditional idea of “economic man” Prospect Theory recognises that people have subjective values when it comes to gains and losses. We have evolved a cognitive bias: a pair of heuristics. One, a sure gain is better than a chance at a greater gain, or “a bird in the hand is worth two in the bush”. And two, a sure loss is worse than a chance at a greater loss, or “run away and live to fight another day”. Of course, these are not rigid rules. Only a fool would take a sure $100 over a 50% chance at $1,000,000. But, all things being equal, we tend to be risk-adverse when it comes to gains and risk-seeking when it comes to losses.

This cognitive bias is so powerful that it can lead to logically inconsistent results. The “Asian Disease Experiment” for instance is an almost surreal example. Describing the same policy choice in different ways — either as “200 lives saved out of 600” or “400 lives lost out of 600” — yields wildly different risk reactions.

Evolutionarily, the bias makes sense. It's a better survival strategy to accept small gains rather than risk them for larger ones, and to risk larger losses rather than accept smaller losses. Lions, for example, chase young or wounded wildebeests because the investment needed to kill them is lower. Mature and healthy prey would probably be more nutritious, but there's a risk of missing lunch entirely if it gets away. And a small meal will tide the lion over until another day. Getting through today is more important than the possibility of having food tomorrow.

Similarly, it is better to risk a larger loss than to accept a smaller loss because animals tend to live on a razor's edge between starvation and reproduction, any loss of food — whether small or large — can be equally bad. As both can result in death, the best option is to risk everything for the chance of no loss at all.

Fear and selling on the side

How does Prospect Theory explain the difficulty of selling the prevention of a security breach? It's a choice between a small sure loss — the cost of the security product — and a large risky loss: the result of an attack on one's network, for example. Of course, there's a lot more that this to the sale. The buyer has to be convinced that the product works and also has to understand the threats against the organization, and the risk that something bad will happen. But all things being equal, buyers would rather take the chance that the attack won't happen than suffer the sure loss that comes from purchasing the security product.

Security sellers know this, even if they don't understand why, and are continually trying to frame their products in terms of positive results. That's why you see slogans with the basic message: "We take care of security so you can focus on your business”, or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is, fundamentally, a negative sell.

One solution is to stoke fear. Fear is a primal emotion, far older than our ability to calculate trade-offs. And when people are truly scared, they're willing to do almost anything to make that feeling go away. Lots of other psychological research supports this. Any burglar alarm salesman will tell you that people only buy after they've been robbed, or after one of their neighbours has been robbed. And the fears stoked by 9/11 — and the politics surrounding 9/11 — have fuelled an entire industry devoted to counter-terrorism. When emotion takes over people are much less likely to think rationally.

Though effective, fear-mongering is not very ethical, however. The better solution is not to sell security directly but to include it as part of a more general product or service. Your car comes with safety and security features built in; they're not sold separately. It’s the same with your house. And it should be the same with computers and networks. Vendors need to build security into the products and services that customers actually want. CIOs should include security as an integral part of everything they budget for. Neither should security be a separate policy for employees to follow but, rather, part of overall IT policy.

Security is inherently about avoiding a negative, which means you can never ignore the cognitive bias that is embedded so deeply in the human brain. But, if you understand it you have a better chance of overcoming it.

Bruce Schneier is chief security technology officer with BT. Contact him at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitysell

Show Comments