Say a company is shopping for a new security product. AV or firewall or web filter or whatever. Product A offers 15 of the standard features and costs $X. Product B offers the same 15 plus a couple of fancy dynamic thingies that might increase their security, but costs $X + Y per year.
How should the company decide if those couple of features are worth the extra $Y per year? This is essentially the same problem you are faced with when trying to decide whether or not to buy the warranty at the electronics store or to upgrade the insurance on the rental car.
I think these decisions are to some degree based on a gut feeling on how good Product B is. This gut feeling could be based on anything: how well the customer likes the vendor, the sales team, the marketing, etc.
Perhaps more important is the marginal value of the cash the customer has available. If the customer can’t think of anything they would rather spend Y dollars on, and they would rather spend it on some ostensible security features than leave it in the bank, then they will pay the extra money. In short, the decision is based on the opportunity cost of the extra features.
I’m not sure either of these methods are wrong, but there must be better ways to make these decisions, which may include the above methods.
4 responses so far ↓
1 Alex // Dec 4, 2009 at 9:42 am
OK, so if B’s whizbang that costs “Y” can’t be expressed (quant or qualitatively) to:
Create operational efficiencies Reduce Risk
Then whizbang = extraneous.
Else
If whizbang = Operational Efficiency > $Y Purchase
If whizbang = Operational Efficency < $Y Don’t Purchase
If whizbang = Risk Reduction NOW we have interesting issues. If the risk reduction isn’t fairly self evident from a “gut” analysis, then a discussion of the threat landscape, and frequency is in order.
2 Jon // Dec 4, 2009 at 11:04 am
Or, more generally,
If whizbang = Operational Efficiency + Risk Reduction > $Y Purchase
If whizbang = Operational Efficiency + Risk Reduction < $Y Don’t Purchase
If we are talking security products then Risk Reduction should never be negative, but in general I don’t see why it couldn’t be negative.
So the customer is left to measure OpEff and Risk Reduction. I think they can only do that in terms of their existing resources and options (opportunity cost). Ultimately it is a guess about the future so the gut feeling will always be there.
3 Bill Prout // Dec 10, 2009 at 7:52 am
This article assumes that the features would be only marginally beneficial. Customers shouldn’t only look at security products as a list of features. Before selecting a product they should better understand the depth of each feature and how effective they are. Only then can the organization then decide if the price is worth the protection they will receive. In the end, the risks of forgoing security solutions or specific functions is not worth the potential costs: http://securityblog.astaro.com/2009/11/risks_of_forgoing_security_out.html
4 Jon // Dec 10, 2009 at 10:21 am
@Bill read this: http://en.wikipedia.org/wiki/Marginal_utility
and this:
http://en.wikipedia.org/wiki/Diminishing_returns
then you will understand better where I am coming from. Everything you buy is assessed “on the margin”. The first computer you buy might be worth $2000 to you. The second, maybe $1200, the third, maybe $400, for example. Obviously, this is subjective based on the buyer. I’m interested in how the buyer can make this sort of decision more accurately, with a better understanding of reality, than just buying based on gut or fashion.
I don’t want my customers to buy because of an overly broad analysis of: “the risks of forgoing security solutions is not worth the potential costs”, unless it is actually true. It’s not always true.
For example, should a customer pay alot for websense or use OpenDNS with free filtering? This decision will likely largely be based on features and what a few unique features are worth to the customer.
Leave a Comment