Selling Security
The poll of IT network and security administrators in SMEs to determine how they persuade management to change security practice found that almost half of respondents admit to advocating the fear factor.
Many respondents indicated that they have to present worst case scenarios involving confidentiality breaches, lost customers or liability charges to justify investments in information security technology.
The use of scare tactics may be prompted by the fact that, according to additional findings from the poll, more than one in four (29 per cent) network administrators claim that senior management rarely, or never, change standard practices in response to security recommendations alone.
However, an encouraging 30 per cent indicated that rational facts, including cost-based analysis, productivity statistics and industry articles, are sufficient to prompt a reaction.
Additionally, 51 per cent of respondents reported that senior management implement changes to security practices based on their recommendations most or all of the time.
(No comment. From VNU, via Infosec News Blog.)
Does beg the question of: how good is the cost based analysis (in the absense of accurate industry stats) and whether the lack of reliable analytics if the reason why FUD sales tactics might be employed so often.
Don’t people generally fear what they don’t know?