The fear factor

Why are we in security? That question was at the heart of a thought-provoking presentation at our recent Global Advisory Board, as Melanie Ensign of Facebook’s cybersecurity communications and advocacy team posed philosophical questions about the reasons for working in the industry.

She started out by saying that although much of security is underpinned by compliance, rules and laws, they only exist because there are people at the other end. People who work directly in security can relate to the issues on a technical or a legal level, but a far higher number of people connect to it on an emotional level. Or, to put it another way, if you freak people out, they will care more.

This brings us to fear, uncertainty and doubt, or FUD, which has been the default setting for many industry people when they try to convince others in their organisations, or the general public, about the value of security. FUD is the most unsophisticated level of emotion we can use. Science shows that fear is a short-term motivator: researchers at the Neurosecurity Lab at Brigham Young University have applied neuroscience in order to understand how people respond to security messages at a cognitive level. Their research works from the notion that users are the weakest link in security, and it shows how the brain responds to security warnings – sometimes at an unconscious level – and how this influences their behaviour.

The findings apply equally to boards as to individuals because as human beings, we all respond in the same way.

Melanie Ensign’s view is that fear can provoke a particular response – such as buying a security product to protect themselves better – but people tend to make poor choices when scared. Instead, if the industry cares about the much broader goal of getting people to be better at securing themselves and their information, then it needs to take a different approach.

Talking about security as a life challenge that everyone is going to experience rather than something destructive is a start. Admittedly, there’s not as much media mileage in this approach. It means resisting the urge to create a narrative around a security story that’s designed to provoke panic.

As long as the industry projects the impression that its job is to scare people into buying something, Melanie argued that it’s difficult to get a seat at the top table. She argued convincingly that the business doesn’t want to be scared; it’s not an enjoyable experience and it’s ultimately counterproductive. If someone you know only ever brings bad news, then before long, you don’t want to hear from them. In the same vein, it’s also very difficult to earn trust from people if they don’t have it, or if they had it and lost it.

More positive emotions such as control and trust resonate far more effectively with people, particularly if they’re non-technical. Most people outside of security don’t care about the why, they just want to know what to do, and move on with the rest of their day. Security people have to stop thinking that others need to understand the subject at the same level that they understand it.

It turns the security role much more towards education, and it calls for messages that are more nuanced and more creative. One approach is to talk about how security helps to solve other problems: Facebook invested in encryption and sped up its network performance as a result. The engineering accomplishment to make the network faster was how the security team got buy-in from the business. The same approach paid off when Facebook built frameworks and tools to ensure that code was more secure as it was written. The tools made developers’ jobs easier; the security aspect was a by-product, not the main selling point.

If we’re serious about improving the reputation of security, then it’s time to stop fearmongering and start changing the conversation. The outcome will be individuals, teams and companies in security that others will trust to provide benefits, and not just be the emergency response team they call when things go bad.

What do you think? Is it time to change the security message we’ve been hearing? We’d love to hear from you.

Leave a Reply

Your email address will not be published. Required fields are marked *