Cybersecurity is the hottest topic in the IT channel. Numerous cybersecurity experts have emerged to help MSPs build their solution stacks, adjust their business models, and better understand regulations and compliance.
Likewise, figures have emerged to address another side of cybersecurity — marketing and selling it. The IT channel has been flooded with advice, but is that advice truly correct? Research suggests that common ideas — FUD, fear appeal, piles of graphs and statistics — do not actually work.
If MSPs wish to improve their conversion rates on cybersecurity, the processes underlying the Customer Experience (CX) and buyer’s journey must first be carefully examined and understood. Only then can the “pop marketing” platitudes be cast off and the optimal cybersecurity marketing direction be determined.
In this article:
- Why a “simple” perspective on marketing is counterproductive.
- The flaws in a fear-based marketing approach.
- Why FUD is a bad thing
- Consumer response to fear-based marketing.
- A better solution to the cybersecurity marketing challenge and how to marketing a cybersecurity company
The IT channel has been turning to fear appeal marketing for as long as I’ve been a part of it. With a growing focus on cybersecurity, discussions about fear-driven marketing have run rampant. Many channel figureheads endorse fear appeal marketing and actively encourage MSPs to use fear to sell cybersecurity.
This is happening despite the fact that fear appeal marketing has a historically poor performance record, not only in cybersecurity, but throughout the history of advertising. Marketing experts have long been researching and publishing studies about fear appeal marketing which clearly describe not only the inefficacy of the method, but also why it is a poor choice for marketing cybersecurity in 2022 and beyond.
Key reasons include:
- It is impossible to satisfy the two requirements of a viable fear appeal campaign when discussing cybersecurity.
- Fear appeal campaigns create apathy among the audience over time.
- Fear appeals are negative and create undesirable associations between the advertiser and the message.
- Cybersecurity marketing tends to use statistics. Statistics have proven to be a largely ineffectual marketing tool.
In this paper, we will explore the above points and their associated research to better understand them. We will also discuss more viable options for marketing cybersecurity by looking at similar marketing challenges from the past.
Fear-Based Marketing and Cybersecurity
How many marketing gurus have told you to use fear to market cybersecurity?
The IT channel has been leaning on fear appeals to sell cybersecurity since before I came into the channel almost ten years ago. Throughout the time since, I’ve seen MSPs struggling to move the needle using this method.
I believe MSPs have been told to use this method simply because no one has offered a better alternative. As such, a sub-3% conversion success rate is considered “better than nothing” and adds to the illusion that fear appeal marketing is a viable option.
Every business within a hundred miles of an MSP has already received dozens of emails, postcards, and LinkedIn messages about how scary cyberthreats are. There is no reason to believe that a prospect is going to convert on a cybersecurity offering if they see one more breach statistic or attend one more webinar about ransomware.
Fear, in its current form, is clearly not the means to drive cybersecurity adoption.
An important note on FUD (Fear, Uncertainty, and Doubt):
The term “FUD” has been moving through the IT channel a lot lately. It’s important to note that the term doesn’t carry a lot of weight in marketing circles. FUD is actually an unethical approach that’s tied to con artists and propaganda. In reality, FUD is the idea of using manufactured fear, often lies, to scare people into action. FUD is not a good thing!
Marketing Cybersecurity With Fear Appeals
There are actually a few reasons why fear appeals are ineffective when creating a cybersecurity marketing strategy. We’ll get into those in a moment. First, we should look at why MSPs and marketers think it’s a good idea.
Many people use a very linear and simplified thought process to understand fear appeal:
- Make people afraid of hackers.
- Show people how your solution protects from hackers.
- Fear of hackers goes away, therefore they open their wallet.
This is a serious oversimplification of fear appeal and consumer behavior. In truth, there are some pretty important variables affecting the above sequence:
- In behavioral science, we rarely look at decision making as a matter of linear causality. You generally can’t “flip switches” like fear to produce responses that are predictable enough to be part of a long chain of toppling dominos. When we do try this, we flip switches that are causally linked to majority percentages across very large population segments.
- The sequence completely ignores audience predispositions as expressed through Douglas’ Cultural Theory, Moral Foundations Theory, and others. I believe the research around these theories directly correlates to cybersecurity acceptance rates as it is often centered around similar sociological challenges.
- The simplified messaging pattern doesn’t address the underlying issues affecting the decision. In other words, the primary driver of this decision is not fear of cyber attack, even when a marketer tries to make it so.
These factors erode the very foundation of the typical fear-based cybersecurity marketing approach. Again, these points are only confirming what many in the IT channel already know: that fear-based marketing isn’t capable of eliciting the desired consumer response.
Fear Falls Short in Cybersecurity Marketing
Apart from the above flaws in the approach, there are a few other effects in play:
The first significant issue is that fear-based cybersecurity marketing almost invariably falls back on statistics to elicit a response. Consumers generally do not respond well to statistics for several reasons:
- Most people have come to accept that statistics are “fuzzy” or completely made up, especially when used in marketing.
- It’s assumed that most people will not fully understand the statistics, and therefore their potency is reduced.
- When shown negatively-positively biased statistics, people tend to subconsciously assume that they fall in the positive. (“Sure it happens, but it won’t happen to me.”)
Perhaps more importantly, some of the statistics commonly used will actually be detrimental to achieving the desired result. For example, when consumers are shown something like this:
84% of SMBs are not secure.
This statistic actually reinforces the idea that the status quo is ambivalence about cybersecurity. In other words, the consumer sees that their peers aren’t taking steps to secure their own businesses. This works almost like “reverse social proof”, telling the consumer that society at large is not concerned about cybersecurity and their peers don’t expect them to take action.
It’s no different than stating that 84% of consumers do not use our product and expecting it to compel the prospect to act in your favor. (There’s a reason you never see this kind of thing in ads.)
Consider also that these high-danger, shocking statistics are handed to the consumer by IT professionals who are also telling them that “well, you can never be totally safe from hackers but we minimize the damage when it happens”.
This is extremely important when considering the efficacy of fear appeals, as the following excerpt explains:
“A long stream of fear appeals research in various disciplines has provided mixed evidence of their effectiveness (Ray & Wilkie, 1970; Wheatley and Oshikawa, 1970; Rotfeld, 1988; Burnett & Lunsford, 1994; Latour & Rotfeld, 1997; Witte & Allen 2000; Laroche et al., 2001; Ruiter, et al., 2001; Hastings et al. 2004, Mowen et al., 2004; Rossiter & Thornton, 2004; Meneses, 2010; Brennan & Binney, 2010). In the Extended Parallel Process Model (EPPM), Witte (1992) argues that the success or failure of a fear appeal depends on the target audience’s evaluation of the two aspects of the message: perceived threat and perceived efficacy. Perceived threat includes the susceptibility of the individual to the threat as well as the severity of the threat. Perceived efficacy refers not only to the efficacy of the recommended response but also the ability of an individual to perform the advocated action. Fear appeals are mostly likely to change behavior when an individual perceives both threat and efficacy as high.”
As we see here, two conditions must be met in order for a fear appeal to work:
- The audience must believe that the threat is severe and likely to affect them;
- The audience must believe that the proposed solution will be effective at stopping the threat.
Neither of these conditions are applicable to the typical cybersecurity fear appeal, as illustrated throughout this article. This alone should be enough to convince anyone that fear-based marketing should not be used for driving cybersecurity adoption.
I said earlier that fear is not the key driver in this decision-making process regardless of how hard we try to make it so. In most attempts at cybersecurity fear marketing, the key driver is actually operant conditioning as defined by B.F. Skinner.
This is one of the simplest concepts in behavioral science, and most people know it as “negative and positive reinforcement”.
It’s difficult to override personal experience with hypotheticals. This explains quite a few behavior patterns:
- A person who doesn’t go to the doctor until they’re extremely sick.
- A child who carelessly approaches strangers’ pets becomes terrified of dogs after being bitten by one.
- A power bill is left unpaid until the electricity is shut off.
- Cybersecurity is ignored until the organization experiences a breach.
In all of these cases, risk and reasoned thinking take a backseat to personal experience, i.e. “my behavior has not caused me any pain, therefore I can continue the behavior”. In each case, outside forces are compelling them to take action, the risks are understood, but maladaptive responses are still preferred (ignoring the danger) — until something negative actually happens and changes the behavior.
Different contributing factors apply, of course, including money or convenience, but the point remains that the experiential bias holds a great deal of power over the decision.
Negativity Avoidance and Message Rejection
I suspect that avoidance is the single greatest reason why the IT channel’s approach needs to be reevaluated.
Research surrounding fear marketing tells us that an inevitable, widespread side effect is consumer apathy. Think of this like Chicken Little telling everyone that the sky is falling. Eventually, people stop caring about the warning and completely tune it out.
The fact that cybersecurity marketing has been fear-based for so long and with so little evidenced changes in consumer behavior tells me that the audience has become largely immune to its messaging.
If you bombard someone with negativity for long enough, they’re more likely to ignore it. The sheer volume — over many years — of cybersecurity fear messaging explains why few respond to it.
Add to this the more simple and straightforward fact that people just don’t respond well to negativity. Reminders of threat or danger, especially in the case of cybersecurity where consumers feel that safety can never be assured, are disturbing and painful. The most likely response we can expect is for the audience to look away. (Many advertisers actively avoid negative messaging or contexts to limit the risk of consumers developing an association between negativity and the advertiser’s brand.)
There is also a complex relationship between the threat and consumer’s belief that they can address that threat. In effect, research shows us that too many fear appeals, or fear appeals which seem overwhelming, will cause consumers to seek relief from the fear rather than from the threat. This typically leads to the consumer ignoring the danger.
To summarize, there is a “threat of danger” threshold that actually reduces the effectiveness of the messaging once crossed. If the threat seems too apparent, too hard to avoid, or too complex, the consumer will begin to feel helpless in the face of it. With personal efficacy being a key requirement of successful fear appeal, this creates problems.
A Short-Term Alternative to Fear-Based Marketing
Given our understanding of the market as outlined above, I believe that only a widespread change in cybersecurity marketing will truly “move the needle” — not just from a business growth perspective, but from a desire to see more widespread adoption of cybersecurity practices.
We’ll discuss one possible way to create that change in the next section. First, I want to talk about how MSPs can change their own strategy to improve new client acquisition around cybersecurity in the short term.
The fastest way to grow market share is to take customers from your competitors. This is a fact of life in marketing, and for MSPs looking to grow in 2022 and beyond, I believe that it’s business suicide to ignore this avenue of growth.
The market is saturated with MSPs. If you’re only looking for clients among end-users who don’t already have an IT provider, you’re fishing in a very small pond.
In some ways, it’s actually easier to acquire new business from your competitors than it is to drum up new clients from scratch. To be more specific to this topic, it allows you to find prospects who don’t need to be sold on cybersecurity. They’ve already bought it and the hard work of educating and qualifying them is done. This is much, much easier than expending time and energy trying to convince someone that cybersecurity is worth paying for — a process that, at best, yields around a 3% success rate.
(That’s right. If you do absolutely fantastic, informative, non-fear based cybersecurity marketing, you can expect to convert 3 out of every 100 prospects — maybe. Industry-wide and all snake oil gimmickry aside, that’s the high side number you’re working with.)
What about someone who has already been sold on cybersecurity by a competitor? They’re probably closer to 100% accepting of it, especially if the reason they’re switching is because their competitor failed to protect them from a cyberattack.
The strategy here is to stop trying to convince people that they need security — as this article illustrates, that’s an uphill fight with low ROI. The strategy is to prove to the existing market that your MSP is better at providing it.
This isn’t the kind of strategy you execute with a book about lead gen funnels in one hand and a templated sales letter in the other. It demands that the MSP take marketing seriously, develop a brand strategy, research their competitors and their regional market, differentiate, and become competitive.
…and that difficulty is why 90% of MSPs won’t do these things. The ones who do buckle down and start taking a competitive approach to marketing will eat the laggards’ lunches, take their market share (it has to come from somewhere), and ultimately rise to the top of the food chain.
The Long-Term Alternative to Fear-Based Marketing
As an MSP marketing professional, I care about this subject because I want my clients to be wealthy and successful — but I also care because I genuinely think that organizations need to take cybersecurity more seriously. Everyone benefits when our world is more secure.
This leads me to what I think is the best possible change in direction for cybersecurity marketing. We must stop thinking of cybersecurity as a matter of education and start thinking of it as a matter of culture.
I came to this conclusion after researching 50-odd years of anti-smoking public service announcements. For many years, people were told how dangerous and unhealthy smoking is. They were shown statistics. They were told horror stories. These were the exact same tactics the IT industry has been trying to drive cybersecurity adoption.
I’m sure you know how that turned out. The number of smokers continued to increase. Later research tells us that the reasons this happened are essentially the same reasons I’ve explained above: personal biases, operant conditioning, active avoidance of negative messaging, and so on.
Again, people don’t care about hypothetical threats and dangers as much as we like to think they do. They actively ignore or rebel against them when addressing the hypothetical danger comes with a cost.
But smoking did finally start to decline in the U.S. around the late 1970s. It wasn’t because someone came up with just the right fear appeal ad. It wasn’t because the statistics finally sank in and millions of people collectively realized that smoking was bad.
It was because the cultural opinion around smoking shifted. One key turning point was the rise of the anti-smoker rights movement. Smoking became stigmatized. It became less acceptable to society as a whole. In time, the social costs of smoking became very high.
To create a similar shift, we must first call attention to the fact that cybersecurity adoption is a social matter, not just a personal one. If a business owner chooses to ignore cyber risk because of cost, they’re making an ill-informed decision that can easily result in harm coming to their stakeholders. They are being the greedy businessperson who puts personal gain above the welfare of others.
Imagine if a CEO decided not to install smoke detectors and fire sprinklers in their office because the cost was too high. How would the public respond to that?
Now imagine if that building burned down and it took down every other building on the block. Injuries. Damage. Hundreds of people out of jobs, all because someone went against evidence and ethics to save money.
That CEO would be skinned alive by public opinion.
And so should be the case in cybersecurity. We must shift the collective understanding of cybersecurity such that it’s an absolute social responsibility. We want to evoke thoughts of risk, but not risk of cybercrime — something far more personal and experiential: the risks of guilt and shame. This will take a bit of long-term management of the security narrative, but it is entirely possible.
Obviously, the wrong approach is to tell the above story to the CEO you’re trying to convince. Comparing someone to a greedy CEO who burned an office full of people alive is generally not going to trigger the right response. (You’re welcome to try it, but please tell me how it goes.)
The correct approach is to plant the seeds of this narrative carefully and kindly. In a way, we’re asking our audience:
Would you want to do business with an organization that willingly and knowingly puts you and your stakeholders at risk?
We continue to tell the cyber risk story, but we tell it about someone else. This allows the audience to determine for themselves if their own behavior mirrors that of the person who is putting their own business, their vendors, their employees, and their families at risk because they want to ignore the problem. They can decide for themselves, “am I the one doing the wrong thing here?”
The objective is to make it unthinkable that an organization turns a blind eye to cybersecurity because the threat to everyone is far too great, and such a decision would be self-serving, miserly, and cruel. In a sense, it’s similar to how the public opinion of smoking changed because it was no longer a matter of “they’re only hurting themselves” — it became a bother and risk to everyone around them. It became, in a sense, shameful.
We should stop telling stories about CEOs who were affected by a cyberattack and start telling stories of the innocent victims in the background. The mother who lost her job. The family whose banking information was stolen. The vendors who trusted that company and were taken down with them. It’s easy to think selfishly when the only message is:
Cybercrime is a danger to your business.
It’s much harder to ignore:
Cybercrime is a danger to everyone who trusts you.
If nothing else, we have decades of public awareness campaigning on our side. There’s simply no excuse for underestimating the dangers of cyber risk after MSPs spent the last decade spamming every inbox in the country with fear appeals.
The awareness exists; what we need to create is accountability. The government is doing their part, but the potential of regulation is minute compared to the behavioral changes that can be sparked by social accountability.
Among the potential talking points:
- How many jobs are lost when a company is forced to shut down due to ransomware? How many families will that affect?
- People generally shrug it off when a store or manufacturer is breached, but attacks can spread from any organization into, say, a hospital. At that point, the unsecured organization was instrumental in putting lives in danger.
- Foreign aggressors are increasingly turning to cyberattacks as a means to harm and undermine our country. Failure to take cybersecurity seriously is a failure to take national security seriously and puts the welfare of the people in jeopardy. (“Cybersecurity is your patriotic duty.”)
- Overall cybercrime can only be reduced when everyone takes personal responsibility and lowers the profitability of such actions. (“If you’re not part of the solution, you’re part of the problem.”)
All in all, the messaging reinforces the idea that shirking one’s “cybersecurity responsibilities” is a willful choice to put personal gain/greed above the greater good. Such shifts in perception have powerful cultural ramifications, and consumers will respond to societal pressure far more readily than pressure from an IT salesperson.
This approach restructures the nature of the fear appeal, allowing the messaging to satisfy the two requirements of a successful message:
- The threat is no longer a cyber incident; the threat is operating as a careless, selfish organization that does not “do their part”. This isn’t a position that can be kept secret if widespread cultural awareness changes.
- The response is capable of eliminating that risk. While an IT provider can’t eliminate all risk of cyber attack, they can eliminate the risk of guilt and shame that would arise if the consumer didn’t take action.
Thus the fear appeal is now constructed in a way that checks both of the requisite boxes: the threat is credible and the solution is effective.