One of my favorite (non-fiction) authors is Robert Cialdini. The first book I read of his was Influence: Science and Practice after a recommendation (thanks, Diana!). It laid out a set of strong concepts that influence folks – commitment and consistency, social proof, liking, scarcity, reciprocation, authority. (I make reference to these ocassionally on this blog).
Cialdini's got a new book out called Yes! that discusses 50 persuasion concepts that are backed by empirical research (that's what I like about all of his concepts – they have been demonstrated in the field). There is some repetition with his other books, but these are 3-4 page "chapters" that are very easy to read.
It happens that I was reading the chapter on social norms (or social proof) at the same time as our recent discussion about PCI
What Cialdini et. al. found in a study on household energy conservation was that people increased or decreased their consumption based on the average neighborhood consumption of energy, in a "regression to the mean" style.
This concept of social norm got me thinking about PCI. One of the themes that comes out of compliance vs. security discussions is that compliance is about meeting a minimum standard and people who "really care" about security (whatever that means) would actually do more. I think the principle of social norms is hard at work here, which makes the "goal" of being PCI-compliant the social norm and acts as a deterrent (or creates a 'boomerang effect' according to Cialdini) to folks that want to be more secure. So if making PCI compliance a minimum baseline is an objective of the program, it is likely to backfire and actually make some companies less secure.
There is good news here. The Cialdini study (which, incidentally can be found here) also used incentives – smiley faces on the reports – to reduce this boomerang effect and incent those people who were consuming lower than average to continue their low-consumption ways.
So, what is the PCI "smiley face"? If PCI wants to encourage, but not necessarily regulate, a higher standard, they should come up with a PCI+ program that could be used perhaps for advertising or some financial incentives…
One logical flaw here: “the “goal” of being PCI-compliant the social norm …”
If you look at small to large orgs, you’d notice that PCI is STILL (!) way, way ABOVE many organizations level of security.
We think of it as “the minimum”, they think about as “WAY too much!”
@Anton -
Those folks are “below the mean” and when told (for example) that x thousand organizations are PCI compliant, should work to become compliant as well.
In any case, this came up because we know PCI-compliant companies are still hit with incidents and so in some respects PCI is not sufficient (we knew that, but tend to forget often). So, for these orgs, they are already compliant.
OK, that makes sense actually; on any curve we’d always have a large # of co which are way, way below PCI DSS standard.