Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

When using fear to sell security can backfire

Published: 2008-08-28
Last Updated: 2008-08-29 14:47:15 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

If you are a security professional, you need to possess strong persuasion skills. This doesn't apply solely to employees of security vendors. Even if your job is internally-focused, you still need to convince your colleagues to consider security when processing data, building systems, interacting with partners, etc. Since these individuals often do not report to you, have to exercise your persuasion abilities to achieve the desired results.

Highlighting the importance of security often incorporates an element of scare tactics: describing threats, explaining the repercussions of ignoring security, or providing examples where inadequate security led to disastrous consequences. The approach is used in both internal security awareness sessions, as well as security product literature.

Fear is a key element in the often vilified trio of fear, uncertainty, and doubt (FUD). Indeed, when used without restraint, fear can back-fire.

First, there's the boy who cried wolf syndrome. The infamous fable refers to a protagonist who issued so many false alarms about the wolf's impeding attack, that the villagers did not believe him when the calamity actually occurred. "The liar will lie once, twice, and then perish when he tells the truth." If resorting to fear, be sure to have your facts straight, and be ready to substantiate your claims if challenged.

Furthermore, while fear can be an effective element of persuasion, it can also paralyze the audience into inaction. This point is emphasized by the authors of Yes!: 50 Scientifically Proven Ways to Be Persuasive. They confirm that "fear-arousing communications usually stimulate the audience to take action to reduce the threat." With one exception:

"When the fear-producing message describes danger but the audience is not told of clear, specific, effective means of reducing the danger, they may deal with the fear by 'blocking out' the message or denying that it applies to them."

In your internal or outbound communications, be very clear about what steps the audience can take to reduce the risks you're describing. Otherwise, you scare tactics might back-fire, with the audience tuning out completely. (If you're interested in the chapter from the Yes! book that deals with fear and persuasion, you can read it here. The text references a 1965 study that tested the effectiveness of fear in the context of medical inoculation brochures, which is summarized here.)

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

Keywords:
0 comment(s)

IE8 Beta 2 Released: InPrivate Browsing

Published: 2008-08-28
Last Updated: 2008-08-28 21:42:41 UTC
by John Bambenek (Version: 1)
1 comment(s)

Microsoft has put IE8 into its second beta and there are a variety of new features.  The one most interesting from a security perspective is "InPrivate" which let's users mort tightly control what cookies get stored (and how they are used) and the settings to control the browser history.  This is largely seen as a slap to Google and Yahoo where it will allow IE users a built-in way to limit the amount of profiling web advertising companies can do to target their advertisements.  It remains to be seen whether this will be used in an even handed way, but it is a good reminder to people how much data advertising companies such as Google can generate about its users.  Nothing in life is free, and if you aren't paying for those services, Google is getting paid from someone. :)

Some people could care less, others are more stringent about their privacy.  There are equivalents in the Firefox world (AdBlock, etc), but Microsoft seems to be trying to position themselves to be the protectors of privacy in the new web world order.  We'll see how that works out (because MSFT is an advertiser themselves with their own ad network).

--
John Bambenek
bambenek /at/ gmail \dot\ com

Keywords:
1 comment(s)
Diary Archives