The business of protecting individuals: realities of consumer-focused security, why we cannot expect that people will buy security tools, and what we need to do instead
The business of protecting individuals: realities of consumer-focused security, why we cannot expect that people will buy security tools, and what we need to do instead
Looking at the reality of consumer-focused security, why people don’t pay attention to security, which types of B2C security products have seen adoption and which didn’t, and what the future holds
Great writeup and a defintely a lot to unpack here. Was going to add this to your LI post but hit my word limit.
In your reference to existing risks and consumer awareness, regulators and industry had to step up to safeguard the consumer and insurance had to come in to help offset the immediate cost over time. The automobile industry was required to add further safety standards to operate on the roads and insurace became mandatory. Will we see an internet where you can only exist on it if you meet minimum security standards? Or maybe if you don't meet that security standard as a consumer and fall victim to a crime (accident) existing insurance cover is more difficult to leverage?
I do wonder if the data to shift this claim is out there "Most individuals haven't felt the pain of a security incident" given I'd be surprised if we all didn't know at least one person that has been personally caught by a cyber attack in the past few years. There is also the potential stigma associated with being a victim of cybercrime so its not spoken of widely. I know at least a few that are incredibly emberassed they clicked on something which is now to them so obvious and it had massive financial impact.
I love the fact that businesses like the bank you mentioned and others are doing things that help secure their customers. Hopefully this trend continues.
I'm curious if you see a stage where cyberattacks become so mainstream that regulators, industry, and insurers all come to the table, not neceissarly at the same time, to offer consumers products that will help them avoid or recover from a cyber incident. Personal cyber insurace baked in to homeowners policies or standalone, applications or cellular devices thats use is contingent on having security safeguards turned on similar to seatbelts in cars. I'm avoiding the big brother topic especially with celluar and personal devices here because while relevant I do think there is ways to have both. Cars have seatbelts, people choose to use them, but if they don't and have an accident there are consequences.
Re: "Will we see an internet where you can only exist on it if you meet minimum security standards?" - I don't think that is possible if the internet remains mostly unregulated (which I hope it will). An interesting one to think about for sure.
Re: "I'd be surprised if we all didn't know at least one person that has been personally caught by a cyber attack in the past few years". I think there's something here. That said, few people have actually had serious consequences on their lives (i.e., losing all of their savings, etc.). Exceptions are when they are actively scammed (such as the pig butchering scam) but not so much when their Zoom credentials got leaked.
Re: "I'm curious if you see a stage where cyberattacks become so mainstream that regulators, industry, and insurers all come to the table, not neceissarly at the same time, to offer consumers products that will help them avoid or recover from a cyber incident". I am sure that will happen, the question is to what degree it will solve the problem. Cyber insurance is for the most part quite unhelpful. Cellular and personal devices is an interesting one as carriers could indeed filter out spam messages etc if only they were Okay to admit reading SMS; similarly they could filter out robocalls but for that they have to listen to all. It's an interesting one to watch but I do think that with rise of deepfakes, something will change 100%. Maybe we will stop relying on calls as much? After all, the company that has achieved the best results helping businesses protect themselves from phishing is Slack. Maybe we need Slack for mobile?
Some time ago we ran a campaign asking people how much they’d pay for an internet security suite for their homes. The results were interesting because out of around 1000 people, 1/3 of them said zero or close to zero, 1/3 said half of what a normal product would cost and the other 1/3 were all over the place with less than 10 % getting close to the prices of the time. Then, we gave the option to all of the respondents to buy the product at their requested price, and from those that open the offer, less than 25 % actually bought it. It was an interesting exercise that supports what you said about people not wanting to pay for security.
I think a part of the problem is that people don't know what they'll do. It's usually a bad idea to ask people what they think/will do/could do; the only thing that matters is their past. If they are already paying/looking for consultants/looking for help/building their own tools etc. to solve a problem X, it means they have a willingness to pay. Whatever they say about the future is not at all an indicator of their behavior. Learned it the hard way many years ago; then became a proponent of good discovery practices. On that note, I 100% recommend "The Mom Test" as it touches on that really well
Great writeup and a defintely a lot to unpack here. Was going to add this to your LI post but hit my word limit.
In your reference to existing risks and consumer awareness, regulators and industry had to step up to safeguard the consumer and insurance had to come in to help offset the immediate cost over time. The automobile industry was required to add further safety standards to operate on the roads and insurace became mandatory. Will we see an internet where you can only exist on it if you meet minimum security standards? Or maybe if you don't meet that security standard as a consumer and fall victim to a crime (accident) existing insurance cover is more difficult to leverage?
I do wonder if the data to shift this claim is out there "Most individuals haven't felt the pain of a security incident" given I'd be surprised if we all didn't know at least one person that has been personally caught by a cyber attack in the past few years. There is also the potential stigma associated with being a victim of cybercrime so its not spoken of widely. I know at least a few that are incredibly emberassed they clicked on something which is now to them so obvious and it had massive financial impact.
I love the fact that businesses like the bank you mentioned and others are doing things that help secure their customers. Hopefully this trend continues.
I'm curious if you see a stage where cyberattacks become so mainstream that regulators, industry, and insurers all come to the table, not neceissarly at the same time, to offer consumers products that will help them avoid or recover from a cyber incident. Personal cyber insurace baked in to homeowners policies or standalone, applications or cellular devices thats use is contingent on having security safeguards turned on similar to seatbelts in cars. I'm avoiding the big brother topic especially with celluar and personal devices here because while relevant I do think there is ways to have both. Cars have seatbelts, people choose to use them, but if they don't and have an accident there are consequences.
Re: "Will we see an internet where you can only exist on it if you meet minimum security standards?" - I don't think that is possible if the internet remains mostly unregulated (which I hope it will). An interesting one to think about for sure.
Re: "I'd be surprised if we all didn't know at least one person that has been personally caught by a cyber attack in the past few years". I think there's something here. That said, few people have actually had serious consequences on their lives (i.e., losing all of their savings, etc.). Exceptions are when they are actively scammed (such as the pig butchering scam) but not so much when their Zoom credentials got leaked.
Re: "I'm curious if you see a stage where cyberattacks become so mainstream that regulators, industry, and insurers all come to the table, not neceissarly at the same time, to offer consumers products that will help them avoid or recover from a cyber incident". I am sure that will happen, the question is to what degree it will solve the problem. Cyber insurance is for the most part quite unhelpful. Cellular and personal devices is an interesting one as carriers could indeed filter out spam messages etc if only they were Okay to admit reading SMS; similarly they could filter out robocalls but for that they have to listen to all. It's an interesting one to watch but I do think that with rise of deepfakes, something will change 100%. Maybe we will stop relying on calls as much? After all, the company that has achieved the best results helping businesses protect themselves from phishing is Slack. Maybe we need Slack for mobile?
Wow, this is the best read I had this week.
You identified clearly the frictions that hold people back with security tools.
I will share this. Thank you for your thoughts on this
Some time ago we ran a campaign asking people how much they’d pay for an internet security suite for their homes. The results were interesting because out of around 1000 people, 1/3 of them said zero or close to zero, 1/3 said half of what a normal product would cost and the other 1/3 were all over the place with less than 10 % getting close to the prices of the time. Then, we gave the option to all of the respondents to buy the product at their requested price, and from those that open the offer, less than 25 % actually bought it. It was an interesting exercise that supports what you said about people not wanting to pay for security.
I think a part of the problem is that people don't know what they'll do. It's usually a bad idea to ask people what they think/will do/could do; the only thing that matters is their past. If they are already paying/looking for consultants/looking for help/building their own tools etc. to solve a problem X, it means they have a willingness to pay. Whatever they say about the future is not at all an indicator of their behavior. Learned it the hard way many years ago; then became a proponent of good discovery practices. On that note, I 100% recommend "The Mom Test" as it touches on that really well