The fallacy of the cybersecurity industry is that security has no meaningful cost. We acknowledge it costs something, but we have no idea exactly how much because we spend all our time looking at the benefits.

Yes, a bank loses customers when customers suffer from hacking. But a bank also loses customers when it’s security makes it too hard to bank there.

Banks used to put bullet proof glass between the tellers and customers. However, customers found this unpleasant and took their business to more friendly banks. The costs of bullet proof glass, in terms of lost customers, exceeded its benefits, in terms of prevented robberies. Banks are now designed to be open and friendly to bank robbers.

The Microsoft Vista UAC. (I had an entire paragraph explaining why the example of UAC supports my point, then i realized an explanation is redundant).

One of my favorite quotes is from Helen Keller: “Life is either a daring adventure or nothing at all. Security is mostly a superstition. It does not exist in nature.”

The other issue is human nature is to be surprised constantly – it is part of being a hopeful species. For many, many people April 15th is a surprise each year. A common conversation right now is “Wow – it is really getting dark early, now”….

Our experience indicates that the basic transactions themselves aren’t any more secure no mater what type of authentication a consumer uses. I say consumer versus customer since consumer more accurately describes the folks that use online banking. And consumers are quite happy to install a security tool on a rooted system. (It does seem like we’re talking about both kinds of users here since there is discussion of balanced score cards.)

Consumers generally become unhappy only after a change in state – their computer functions slower or they detect a fraudulent charge. (Even then only for a short period of time.) So I would say that although happiness can be important, it is by no means required when mandatory security functions are indicated, implemented, and enforced.

perfect question – Alan Greenspan’s customers loved his low interest rates and lack of regulation. And it worked great, until. Well…you know…

Props to you for putting customer focus into infosec, which we need, just saying that its not the only measure.

I’d be tempted to try it this way:

The best security program minimizes cost: from incidents, implementation, and process impact.

The customer happiness equation in retail is a different story (and the complex credit card liability spreading complicates is further) but even TJX changed a lot of their ways after the incident in an effort to deal with potentially unhappy customers – back to why I said above that “long term” is key. No airline’s passengers are happy after a plane crash but it takes the long term to determine if there is a customer-perceptible difference in safety across the airlines.

We all know that online services would be much safer if everyone was forced to used strong authentication yet consumers reject it and show that they will do less online consumption if they are forced to augment reusable passwords with tokens. Which is the better security program: the safer one that customers dislike and don’t use, or the riskier one that generates higher revenue?