Fear, Information Security, and a TED Talk « The New School of Information Security.

TEDMed talk by Thomas Goetz – great talk about making health information understandable to patients in order to motivate them to action. Adam blogged about it because it reinforces his notion that fear does not motivate management to invest in information security.

Thomas suggests a four step feedback loop – Personalized Data, Relevance, Choices, Action.

For health care Thomas shows that the key problem is poor information presentation design. Is the problem the same in information security or is it the lack of relevant information to present?

In information security, people, and especially management, don’t act because they don’t believe that more firewalls, SSL and IDS will protect their cloud services. They don’t believe that because we don’t talk about how well those things actually work. Do companies that have a firewall experience fewer breaches than those with a filtering router? Does Brand X firewall work better than Brand Y? Who knows? And absent knowing, why invest? There’s no evidence of efficacy. Without evidence, there’s no belief in efficacy. Without a belief in efficacy, there’s no investment.

We’re going to need to move away from fear and to evidence of efficacy. Doing so is going to require us all to talk about investments and outcomes. When we do, we’re going to start getting better rapidly.