Bruce Schneier’s recent explanation in a CIO article of psycho-economic experiments regarding how we handle simple security investment makes us all look pretty silly (click HERE). With images that bring to mind Jack Black playing the part of a doomed jungle animal or primitive “homo securosis” (in my mind’s eye, anyway), he recalls Kahneman and Tverseky’s 1979 theory and experiments. The conclusion is fairly simple, and makes some sense.

Consider the following two scenarios and how you would respond…

  1. On one hand, would you rather take a sure $500 gain or a 50% chance of a $1000 gain? Either choice has an average expected gain (over a number of repetition) of $500 per try.
  2. On the other hand, would you rather take a sure $500 loss or a 50% chance of a $1000 loss? The average expected loss (over a number of repetitions) is $500 per try.

It turns out that for the majority of our population, the answer to question (1) is… the sure gain.

For question (2)… the CHANCE of a loss is preferable in most peoples’ view. (Read the article above, and its references to find out why.)

The first response is not a huge surprise, but the second one might be. It’s apparently a vestige of an older “conserve now, and live another day” mentality inherited from our evolutionary bag of tricks. (This is where Jack Black pops into my head, but I must … push … him … out for a few moments of seriousness…)

So, I think this explains why it is so hard to sell security; people would rather take their chances on losses in many situations; unless the sure loss is small, and the possible loss is relatively large. We just have a hard time proving that the possible loss is very large, and when we try, we are called fear-mongerers. So we are left between a rock and a hard place.

One answer, according to Bruce - and in keeping with his position in other recent articles - is that security should be sold as part of a larger package that produces an overall gain. Then, you don’t have to justify it, or negotiate for it. This is how he recently described the future of security for infrastructure. People will eventually just buy infrastructure from service providers who have the obligation to include security.

In many cases, I think it does make sense to argue for this approach. But there will always be cases, where bundling security is not so practical. Not all security investments can be bundled this way. An enterprise should have it’s own security policies, it’s own awareness training, it’s own desktop workstation hardening, it’s own physical security for facilities and internal network connections. These are often subject to the same type of question as in the experiment above. How much effort would you put into policies, training, hardening, etc. (where the cost is a sure loss) in order to save a potentially larger loss (and how much of a loss would that be)?

One thing Bruce doesn’t discuss is the idea of compliance. Industry regulations for governance in most industries are often a “no-brainer”. You have to spend something on them, at least, to get the checkmark on the audit - and pass GO. But this is an area where you may as well leverage the money, time and effort you have to spend, and turn it into something more valuable.

For example, if you have to do training, why not pick a program that will provide benefits other than just the audit checkmark? This is your chance to avoid the experiment problem. The incremental cost for the best program may be small enough to make it the exception to the psycho-economic rule.

As for the “bundling” issue, you can take the opportunity during strategic planning initiatives to consider the build security into the strategic plan for meeting long term objectives, much as the coach builds defense into the sport’s team’s plan for balancing the roster for the season. So, the best defense is not always a good offense, at least in business.

With this theory in mind, do you have any other suggestions for getting around the human nature issue? And do you think this problem is more prevalent in larger organizations, or smaller businesses?