straxd on Group Psychology, IT Security and PCI…..
February 20th, 2008 Drazen Drazic Posted in Bad Stuff, Industry Specialists Talk, PCI, PCI DSS, Risk Management, cyber crime |
From straxd - an unassuming dark horse
I have always had a bit of a fascination with the concept of group psychology. It’s at the same time the most evil and the most successful marketing tactic that a company can launch.
Take De Beers’ creation of the diamond industry as an example. By giving the right general impression the entire psyche of society can change (and the diamond cartel made billions as a result). Coke has converted a version of caffeinated carbonated sugar water into a drink pretty much everyone has every day. The records and movie industries have converted copyright infringement into theft, and created the previously alien idea that artists would stop creating new art if they weren’t millionaires.
Not that group psychology is always a bad thing. The cigarette industry used media and advertising to ingrain smoking into culture, and now the Australian Government is using the same tools to try and associate smoking with disease and suffering.
The security industry uses the same tools for similar results. Microsoft created the public acceptance of viruses being inevitable. Verisign’s SSL logo makes people believe that the site’s secure. People now actually believe that the “Hacker Safe” logo actually means that their data will be safe even though it is just a vulnerability scan which isn’t even that thorough.
What surprises me is that the credit card companies don’t get into the same game with PCI. I would like advertisements saying “Don’t give your credit card information to any company that’s not PCI compliant”. I would like an official logo that companies can put on their sites that will actually imply some level of security.
I believe that companies won’t and don’t respond to threats of fines if they get hacked at some time. They just assume that they won’t get hacked because…well it won’t happen to them. For them, security is a cost, not a profit, and it gets in the way of doing business. Remember, of course, that it’s not the companies’ data that they are risking, it’s just their customers. It’s so much easier to gamble when it’s not your money that you’re betting.
Now don’t get me wrong, PCI isn’t everything. It’s just better than what most companies have now. What non-compliant companies will understand is the alienation from their customers which could happen if the customers realise the benefits of PCI compliance. When my mother can look at a site, know that it’s PCI compliant and have a general idea of what it means, that is when PCI compliance will take off.
February 21st, 2008 at 10:57 am
As it currently stands, I doubt that the term ‘PCI compliance’ will ever be recalled & remembered by the mums & dads of the world.
Its not sexy enough. Its not catchy. It doesn’t mean anything to them. Plain & simple. The term really sucks.
Getting back to your point about logos & group psychology DD, you’re spot-on, people associate with logos, lingos & jingles.
I feel like a Tooheys. You oughta be congratulated.
The likes of John Singo know it, and are masters at it.
What do you reckon Singo would do if approached to market ‘PCI compliance’ to mums, dads & corporations ?
First thing he’d do is he’d p1ss it off. He’d completely rename & re-badge it. It’d be the same product, but it’d be called something catchy. Something people would remember because it actually means something, an image, that they can quickly understand & retain.
Even though the ‘Hacker Safe’ logo may not live up to expectations, it is a stroke of sheer marketing genius.
In two simple words, even the most uninitiated, non-computer person can quickly grasp what ‘Hacker Safe’ means. Even my computer-loathing, farmer father would understand it.
February 21st, 2008 at 1:24 pm
@BG
True, Verisign did it with SSL. Even completely non technical people talk of making sure ‘the padlock is glowing’ before entering personal or confidential data. I have had people say this to me all the time - mum and dad types.
I can happen, and irregardless of what it is called, I really think that critical mass of industry compliance is almost there and it is time for a general population positive marketing campaign.
This is the next step in encouraging merchant compliance - just like the ‘Don’t risk it, use a licensed plumber’ bumper stickers, but positive, and PCI related..
..then again, it may just be ‘that time of the afternoon’..
February 21st, 2008 at 2:18 pm
Dec,
very true.
Verisign SSL has the padlock. Even a drunken bum at the pub knows what a padlock is for.
What has ‘PCI compliance’ got as their marketing hook ?
February 21st, 2008 at 2:21 pm
@BG
You’re right, of course, but given the right push any name can be linked to anything in people’s minds. In wide scale marketing the name doesn’t define how people think of the product, but you define how people think of the name and the product.
We now think of Google as a search engine, when people would have thought you were going slightly insane if you talked about googling something fifteen years ago. Facebook is synonymous with social networking, but it’s only been around for a few years. Verisign SSL is a case in point - it’s pretty well worse than PCI Compliant (at least PCI Compliant has some assonance going) but they’ve still managed to plaster their logo around half the web.
Godel Escher Bach had some pretty cool chapters on how symbols form in our mind.
Of course, I’m not saying the name doesn’t have any effect. Maybe I just feel like arguing at the moment!
February 21st, 2008 at 3:47 pm
btw right push includes a good logo and a good marketing effort.
February 22nd, 2008 at 3:01 pm
Recently breached companies here in OZ - stats show that very few people give a rats and will continue to buy from them anyway. eg; Rosesonly. Can’t recall where the stats came from but google if need be.
While liability sits with anyone bar the consumer, it does not affect their purchasing decisions - ie; using the net, store etc.. ie; you report the fraudulent transaction….only pain is getting the new card. Identity theft care factor - nah, can’t happen to me.
Given so many players, it will be a case of a good proposal put forward for submission - could come from anywhere…waiting on a large committee to do something like this will take forever.
February 23rd, 2008 at 8:20 pm
Not really sure what you are advocating here Draz, “While liability sits with anyone bar the consumer…” should we feel the pain without having a viable alternative for electronic payment systems? The service providers are liable for the integral operation of their service and confidentiality of their customers details? Personally I think we are just in the throes of a paradigm shift. Transparency, visbility and auditability will finally prevail as the generational divide with regard to technology narrows. Consumers do have limited liability, thus what do they care. Identity theft will have more awareness in the group psyche when more people get done over and band together.
http://www.ranum.com/security/computer_security/editorials/lawyers/index.html
is a fun rant around “liability” from a software perspective.
February 25th, 2008 at 9:08 am
D2,
you got a laugh outa BG.
You’ve trotted out more cliches than Rex Mossop calling a Manly vs Parra grand final.
Generational divides, paradigm shifts, group psyches ?
I reckon I know who you *really* are, D2… or should I say, Kevin Rudd.
Reveal yourself, Kevin !
BG.
PS. Kevin Rudd contributes to B or B !