Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: When using fear to sell security can backfire - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
When using fear to sell security can backfire

If you are a security professional, you need to possess strong persuasion skills. This doesn't apply solely to employees of security vendors. Even if your job is internally-focused, you still need to convince your colleagues to consider security when processing data, building systems, interacting with partners, etc. Since these individuals often do not report to you, have to exercise your persuasion abilities to achieve the desired results.

Highlighting the importance of security often incorporates an element of scare tactics: describing threats, explaining the repercussions of ignoring security, or providing examples where inadequate security led to disastrous consequences. The approach is used in both internal security awareness sessions, as well as security product literature.

Fear is a key element in the often vilified trio of fear, uncertainty, and doubt (FUD). Indeed, when used without restraint, fear can back-fire.

First, there's the boy who cried wolf syndrome. The infamous fable refers to a protagonist who issued so many false alarms about the wolf's impeding attack, that the villagers did not believe him when the calamity actually occurred. "The liar will lie once, twice, and then perish when he tells the truth." If resorting to fear, be sure to have your facts straight, and be ready to substantiate your claims if challenged.

Furthermore, while fear can be an effective element of persuasion, it can also paralyze the audience into inaction. This point is emphasized by the authors of Yes!: 50 Scientifically Proven Ways to Be Persuasive. They confirm that "fear-arousing communications usually stimulate the audience to take action to reduce the threat." With one exception:

"When the fear-producing message describes danger but the audience is not told of clear, specific, effective means of reducing the danger, they may deal with the fear by 'blocking out' the message or denying that it applies to them."

In your internal or outbound communications, be very clear about what steps the audience can take to reduce the risks you're describing. Otherwise, you scare tactics might back-fire, with the audience tuning out completely. (If you're interested in the chapter from the Yes! book that deals with fear and persuasion, you can read it here. The text references a 1965 study that tested the effectiveness of fear in the context of medical inoculation brochures, which is summarized here.)

-- Lenny

Lenny Zeltser leads a regional security consulting team at Savvis and teaches a course on reverse-engineering malware at SANS.

Lenny

216 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!