Category Archives: Information security


10 ways to detect employees who are a threat to PHI

Software Associates specializes in software security and privacy compliance for medical device vendors in Israel.   One of the great things about working with Israeli medical device vendors is the level of innovation, drive and abundance of smart people.

It’s why I get up in the morning.

Most people who don’t work in security, assume that the field is very technical, yet really – it’s all about people.   Data security breaches happen because people or greedy or careless.    100% of all software vulnerabilities are bugs, and most of those are design bugs which could have been avoided or mitigated by 2 or 3 people talking about the issues during the development process.

I’ve been talking to several of my colleagues for years about writing a book on “Security anti-design patterns” – and the time has come to start. So here we go:

Security anti-design pattern #1 – The lazy employee

Lazy employees are often misdiagnosed by security and compliance consultants as being stupid.

Before you flip the bozo bit on customer’s employee as being stupid, consider that education and IQ are not reliable indicators of dangerous employees who are a threat to the company assets.

Lazy employees may be quite smart but they’d rather rely on organizational constructs instead of actually thinking and executing and occasionally getting caught making a mistake.

I realized this while engaging with a client who has a very smart VP – he’s so smart he has succeeded in maintaining a perfect record of never actually executing anything of significant worth at his company.

As a matter of fact – the issue is not smarts but believing that organizational constructs are security countermeasures in disguise.

So – how do you detect the people (even the smart ones) who are threats to PHI, intellectual property and system availability:

  1. Their hair is better organized then their thinking
  2. They walk around the office with a coffee cup in their hand and when they don’t, their office door is closed.
  3. They never talk to peers who challenge their thinking.   Instead they send emails with a NATO distribution list.
  4. They are strong on turf ownership.  A good sign of turf ownership issues is when subordinates in the company have gotten into the habit of not challenging the VP coffee-cup holding persons thinking.
  5. They are big thinkers.    They use a lot of buzz words.
  6. When an engineer challenges their regulatory/procedural/organizational constructs – the automatic answer is an angry retort “That’s not your problem”.
  7. They use a lot of buzz-words like “I need a generic data structure for my device log”.
  8. When you remind them that they already have a generic data structure for their device log and they have a wealth of tools for data mining their logs – amazing free tools like Elasticsearch and R….they go back and whine a bit more about generic data structures for device logs.
  9. They seriously think that ISO 13485 is a security countermeasure.
  10. They’d rather schedule a corrective action session 3 weeks after the serious security event instead of fixing it the issue the next day and documenting the root causes and changes.

If this post pisses you off (or if you like it),  contact danny Lieberman me.  I’m always interested in challenging projects with people who challenge my thinking.

Tell your friends and colleagues about us. Thanks!
Share this

The death of the anti-virus

Does anti-virus really protect your data?


Additional security controls do not necessarily reduce risk.

Installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements.

We use the quantitative threat analysis tool – PTA that enables any business  to build a quantitative risk model and construct an economically-justified, cost-effective set of countermeasures that reduces risk in your and your customers’ business environment.

Like everything else in life, security is an exercise in alternatives.

But – do you choose the right one?

Many firms see the information security issue as mainly an exercise permissions and identity management (IDM). However, it is clear from conversations with two of our large telecom customers that (a) IDM is worthless against threats of trusted insiders with appropriate privileges and (b) Since the IDM systems requires so much customization (as much as 90% in a large enterprise network) it actually contributes additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats, is that your cost of attacks and ownership go up, instead of your risk going down. This is as true for a personal workstation as it is for a large enterprise network.

The question from a security perspective of an individual user is pretty easy to answer. Install a decent personal firewall (not Windows and please stay away from Symantec) and be careful.

For a business, the question is harder to answer because it is a rare company that has such deep pockets they can afford to purchase and install every security product recommended by their integrator and implement and enforce all the best-practice controls recommended by their accountants.

An approach we like is taking standards-based risk assessment and implementing controls that are a good fit to the business.

We use the quantitative threat analysis tool – PTA that enables any business  to build a quantitative risk model and construct an economically-justified, cost-effective set of countermeasures that reduces risk in their and their customers’ business environment.

More importantly, a company can execute a “gentle” implementation plan of controls concomitant with its budget instead of an all-or-nothing compliance checklist implementation that may cost mega-bucks.

And in this economy – fewer and fewer businesses have the big bucks to spend on security and compliance.

Software Associates specializes in helping medical device vendors achieve HIPAA compliance and improve the data and software security of their products in hospital and mobile environments in the best and most cost-effective way for your business and pocketbook.

Tell your friends and colleagues about us. Thanks!
Share this
mindless IT research

It’s friends and family breaching patient privacy – not Estonian hackers.

A 2011 HIPAA patient privacy violation in Canada, where an imaging technician accessed the medical records of her ex-husband’s girlfriend is illustrative of unauthorized disclosure of patient information by authorized people.

Data leakage of ePHI (electronic protected health information) in hospitals is rampant simply because a) there is a lot of it floating around and b) because of human nature.

Humans being are naturally curious, sometimes vindictive and always worried when it comes to the health condition of friends and family. Being human, they will bend rules to get information and in the course of bending rules, breach patient privacy.

The right to patient privacy

The Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients’ right to confidentiality and HIPAA’s Privacy Rule grants federal protections for patients’ personal health information held by covered entities and gives patients rights regarding that information.

What is ePHI?

The Department of Health and Human Services defines ePHI as a combination of personal identifiers and clinical data in order to protect patient privacy.

Electronic Protected health information (ePHI) is any information in an electronic medical record (EMR) that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. This includes names, geographical locations, dates of birth etc, phone numbers, email, social security numbers, medical record numbers, license plate numbers, driver license number, biometrics.

Basically any combination of personal identifiers that can be used to steal a persons identity, when combined with EMR data becomes ePHI.

HIPAA risk and compliance assessments that we’ve been involved with at hospitals in Israel, the US and Australia reveal that most patient privacy breaches are not perpetrated by hackers but by friends and family seeking information or insurance companies seeking to validate claims.

Social engineering methods are often employed with or without a “sweetener” and do not need to rely on exploiting software security vulnerabilities in order to breach patient privacy.

Courtesy of my friend Alan Norquist from Veriphyr

Information and Privacy Commissioner Ann Cavoukian ordered a Hospital in Ottawa to tighten rules on electronic personal health information (ePHI) due to the hospital’s failure to comply with the Personal Health Information Protection Act (PHIPA).

The actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective.” – Information and Privacy Commissioner Ann Cavoukian

The problem began when one of the hospital’s diagnostic imaging technologists accessed the medical records of her ex-husband’s girlfriend. At the time of the snooping, the girlfriend was at the hospital being treated for a miscarriage.

Commissioner Cavoukian faulted the hospital for:

  • Failing to inform the victim of any disciplinary action against the perpetrator.
  • Not reporting the breach to the appropriate professional regulatory college.
  • Not following up with an investigation to determine if policy changes were required.

The aggrieved individual has the right to a complete accounting of what has occurred. In many cases, the aggrieved parties will not find closure … unless all the details of the investigation have been disclosed.” – Information and Privacy Commissioner Ann Cavoukian

It was not the hospital but the victim who instigated an investigation. The hospital determined that the diagnostic imaging technologists had accessed the victim’s medical files six times over 10 months.

The information inappropriately accessed included “doctors’ and nurses’ notes and reports, diagnostic imaging, laboratory results, the health number of the complainant, contact details … and scheduled medical appointments.” – Information and Privacy Commissioner Report

(a) Privacy czar orders Ottawa Hospital to tighten rules on personal information – Ottawa Citizen, January, 2011

Tell your friends and colleagues about us. Thanks!
Share this
risk-driven medical device security

Picking Your Way Through the Mime Field

Picking Your Way Through the Mime Field

We’re a professional software security consultancy and  experienced software developers. Almost 10 years, one of our partners proposed that we develop a utility to encrypt Microsoft Outlook email messages.   A prototype was developed – but an interesting thing happened when we started talking to potential beta customers – lawyers who had sensitive client information and technology development companies who have valuable intellectual property that they need to protect.

When we asked senior executives what they thought about encrypted email – the answer was universally – “We don’t really care”

Fast forward 10 years and the situation has changed dramatically.  We routinely counsel clients to carefully read the terms and conditions of their cloud  email service providers. For this reason we generally recommend to our medical and healthcare customers not to use Microsoft Skydrive due to their problematic privacy policy.

Today – encrypted email is an option you must consider.

Google Does What?

Online security in particular email security just got a whole lot more interesting with Google’s revelation that it does read emails it handles. Apparently Google have stated this fact in their submissions to hopefully dismiss a class action lawsuit that accuses them of breaking wire tap laws. I have always maintained that writing to someone via email is akin to writing them a postcard. The content of the email just like a postcard can be read on route. Now it’s a bit of a stretch of the imagination to think of the Post Office having someone read all of our postcards that we send but we still would not write to a friend of colleague about private matters on a postcard. We would seal it in an envelope.

Google in their defense of their position regarding the reading of our emails say; “Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS (electronic communications service) provider in the course of delivery.” Using this analogy fails to acknowledge the fact that when an assistant opens their bosses mail they do so with the prior consent of their boss and they are subject to confidentiality agreements, if not specific most certainly implied by their position. Google on the other hand can make no such claim, because they explicitly then share that scanned information with the National Security Agency’s (NSA) under the provisions of the Patriot Act. Privacy does not exist when communicating by email, if this is news to you and you want to do something about it today read on.

Sealing Your Email

If you want to continue using email to send your private communications via any web-based communication service you are going to have to make use of encryption. Now this isn’t the time to stop reading because you think I can’t be asked to learn all about that malarkey. Modern email encryption can be extremely easy take a look at Egress Switch. It’s not like back in the day, when both sender and recipient needed to have bought into the same product, nowadays you can send a friend an encrypted email without having to have previously set the whole thing up!

Where Do I Sign-up?

Finding the right product for you is important; if you are looking for a corporate solution for private messaging and encrypted mail then it becomes a little more involved.

Software Associates are an experienced IT security consultancy with top flight consultants and has been operating since 2003 serving large publicly traded companies and small startups with the same care and highest level of attention to providing cost-effective security countermeasures.if you don’t mind corporate America and big brother reading all of your mail do nothing, however if that’s not how you want things to play out you need to adopt email encryption right now!


Tell your friends and colleagues about us. Thanks!
Share this
Three business people working

Out of control with BYOD in your hospital?

The number of bring your own device (BYOD) workplaces is increasing.

Hospitals are certainly no exception with nursing staff, doctors and contractors bringing their own mobile devices into the hospital – and in many cases, jacking into WiFi networks in the hospital premises.

With mobile access points via  your smart phone – you don’t even need the courtesy of a hospital-provided WiFi network – you can jack in via your phone.

This is a real threat to data security in a hospital.  So the question is – Can the IT department of your hospital rein in wide use of personal mobile devices?

Nearly one third of CIOs surveyed said they support employees accessing the company network with their personal devices, writes IT World. But many IT departments remain resistant to such policies. BYOD has been around for awhile in one way or another. Now IT can get it under control, and here are a few reasons why it’s good for them.

BYOD is an Old Problem

People have been bringing their own tech gadgets to work for years, notes the Digital Workplace Forum. External hard drives, thumb drives, DVD burners, music players and personal laptops have shown up in employee offices for a long time. It has always been a headache of IT departments to maintain security in environments where people bring their personal digital tools.

To alleviate this, some places put tight controls in place that limit an employee’s access to the company’s computer resources. The result is frustrated employees, lower productivity, and a problem that still exists. One solution is to establish policies and controls that allow IT to manage all of the devices that employees use to access the system.

More Controls Allow Greater Flexibility

The development of mobile device management (MDM) systems allows IT to support a workplace with multiple, different devices. Employees are no longer satisfied with just their company desktop computer to do their jobs. Forrester Research cites that 74 percent of employees use two or more devices to complete their tasks and 52 percent use three or more.

MDMs allow employees to bring their own devices to work, connect them to the network, and maintain the integrity and security of the company’s resources. Solutions such as the BlackBerry MDM let various types and brands of devices to be registered and recognized by the system. Once a device is registered, IT can track the device’s activity and amount of use. This is more visibility than IT has typically had of employee devices.

Security is the First Priority

The Wall Street Journal reports that more than 80 percent of the younger employees polled said they brought in to work and used their own devices regardless of the company policy. More than 60 percent of the older employees replied the same way. Getting more controls in place is a way IT departments can finally keep their systems secure.

MDMs give visibility to the devices using the system. They can track the applications used so that unauthorized apps can be limited or restricted entirely. In the event that an employee reports a lost device, or when employees leave the company, the device can be wiped of any company apps and data. The tablet stolen from a hotel room during a conference is no longer a threat to the company’s security.

By controlling the apps available to the employee, IT can ensure that malware is not introduced to the system by people downloading apps from unauthorized sites. A central repository of custom in-house apps, commercial off the shelf (COTS) programs and app store products gives employees a selection of tools without risking the system security.

Creating virtual work spaces when people log into the system isolates their activity to a small portion of the system. Cloud services such as Dropbox and Skydrive help by creating collaborative workspaces outside of the company’s resources. The more that IT can move unpredictable activities to separate work areas, the more secure they can keep their company resources.

Tell your friends and colleagues about us. Thanks!
Share this
Cyber warfare pentagon cyberwar

מלחמת סייבר – לתקוף את המרקם החברתי של האקרים ולא להתגונן

הפרדיגמה הצבאית קונבנציונלית אינה מתאימה לאבטחת סייבר

מדיניות Cyber Security של מדינות שונות עוצבה בידי הצבא ולכן באופן מסורתיcyber security  נתפשת רק בהקשר של אסטרטגיית הגנה. אסטרטגיה זו מתבססת על איסוף מודיעין, ניתוח איומים וסיכונים, מידול וניטור יחד עם פרישה של טכנולוגיות הגנה כמו firewall, מניעת DDoS, מניעת חדירות ושימוש ב-honeypots. הבעיה בגישה מתגוננת כזו ל-cyber security  היא שהיא אינה נוגעת בשורש האיום.

אסטרטגיה התקפית ללוחמה ב-cyber terror  תוך שימוש בטכניקות לוחמה בטרור כדי לפרק תשתיות טרור ומרקמים חברתיים היא אלטרנטיבה אפקטיבית יותר לעומת האסטרטגיה המתגוננת.

רשתות חברתיות של האקרים כמטרה להתקפה

אף על פי שישנן אלטרנטיבות התקפיות כמו התקפת DDoS נגדית או פיתוח פצצות spyware חכמות כמו Stuxnet, הרעיון היותר מעניין הוא שימוש באסטרטגיית demand-side במטרה להוריד את הערך החברתי שטמון בלהיות האקר. אפשר ללמוד מההצלחה של האיטלקים בלוחמה בטרור הבריגטיסטי בסוף שנות ה-70. הממשלה האיטלקית החדירה חפרפרות לבריגדות האדומות, הפיצה בתוכן חוסר אמון וכך חיסלה את הארגון ביעילות.
תקיפת הרשתות החברתיות של אלה המפתחים ומפיצים תוכנות זדוניות מחייבת הסתננות למחתרת ההאקרים, מעצר האקרים בגין עבירות פליליות וסגירת עסקאות בתמורה למודיעין יישומי.
בהתחשב בכך שהתקפות cyber על ישראל הן צורה של טרור, אני מאמין שאסטרטגיה זו יכולה להיות יעילה מכיוון שהיא נוגעת ישירות בשורש הבעיה ויש לה הפוטנציאל לקחת מההאקרים את המניע הגדול ביותר – תגמול חברתי.
אמנם הרעיון נשמע מבטיח אך המחסום העיקרי לאסטרטגיה זו הוא החדירה למעוזי ההאקרים וגיוס גורמי אכיפה מקומיים.
אין ספק ששיתוף פעולה בין מדינות ובין שותפים שונים במדינת ישראל ומחוצה לה הוא גורם קריטי להצלחה של אסטרטגיית cyber
security התקפית.

גיוס כוחות כללי

אסטרטגיית cyber security שלא נבחנת על ידי אנשים חיצוניים לעולם לא תכלול גם הערכה נכונה של הכדאיות הכלכלית של אמצעי האבטחה מכיוון ששיקולים פוליטיים תמיד יגברו על השכל הישר.
נציגים של מטה הסייבר שהוקם לאחרונה חייבים לעבוד בשיתוף פעולה הדוק עם התעשייה ולחלוק איתה מידע הנוגע לאיומים ונקודות תורפה. גופים ממשלתיים וצבאיים אמנם מחזיקים במודיעין איכותי יותר אך ברוב המקרים אנליסטים ומפתחי טכנולוגיות אבטחה מהמגזר העסקי מחזיקים בידע עדכני יותר.
המאמץ להגן על ישראל מפני מתקפת cyber יצליח רק אם יעשה בתיאום בין גופים ממשלתיים וצבאיים שונים, בשיתוף עם בעלי ברית ושותפים מהסקטור העסקי ובשילוב מודיעין באיכות גבוהה, הבנה מעמיקה של איומים עתידיים וביקורת מאוזנת של אמצעי האבטחה.

על המחבר
דני ליברמן
יליד וושינגטון, חי בישראל. בעל תואר שני בפיזיקה של מצב מוצק, אנליסט אבטחת תוכנה במקצועו, נגן סקסופון חובבן אך רציני ורוכב שטח.

Tell your friends and colleagues about us. Thanks!
Share this
selling security products with fear, ignorance and online marketing

Why security defenses are a mistake

Security defenses don’t improve our understanding of the root causes of data breaches

Why is this so? Because when you defend against a data breach – you do not necessarily understand the vulnerabilities that can be exploited.

If do not understand the root causes of your vulnerabilities, how can you justify and measure the effectiveness of your defensive measures?

Let me provide you with an example.

Conventional IT security practice says that you must install a firewall in front of a server farm.

Firewalls prevent the bad guys from getting in. They don’t prevent sensitive data assets from leaving your network during a data breach.

If you have a dozen servers, running Ubuntu 12.04 with the latest patches, hardened and only serving responses to requests on SSH and HTTPS services not only is there no added value in a firewall but installing and maintaining a firewall will be a waste of money that doesn’t defend against a data breach.

First of all – defenses are by definition, not a means of improving our understanding of strategic threats. Think about the Maginot Line in WWI or the Bar-Lev line in 1973. Network and application security products that are used to defend the organization are rather poor at helping us understand and reduce the operational risk of insecure software.

Second of all – it’s hard to keep up. Security defense products have much longer product development life cycles then the people who develop day zero exploits. The battle is also extremely asymmetric – as it costs millions to develop a good application firewall that can mitigate an attack that was developed at the cost of three man months and a few Ubuntu workstations. Security signatures (even if updated frequently) used by products such as firewalls, IPS and black-box application security are no match for fast moving, application-specific source code vulnerabilities exploited by attackers and contractors.

Remember – that’s your source code, not Microsoft.

Third – threats are evolving rapidly. Current defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering. Although content inspection technologies such as DPI and DLP are now available, current focus is primarily on the network, despite the fact that the majority of attacks are on the data – customer data and intellectual property.

The location of the data has also become less specific as the notion of trusted systems inside a hard perimeter has practically disappeared with the proliferation of cloud services, Web 2.0 services, SSL VPN and convergence of almost all application transport to HTTP.

In summary – before handing over a PO to your local information security integrator – I strongly suggest a systematic threat analysis of your systems. After you have prioritized set of countermeasures – you’ll be buying, but not necessarily what he’s selling.

Tell your friends and colleagues about us. Thanks!
Share this
hipaa cloud security

Is your HIPAA security like a washing machine?

Is your HIPAA security management like a washing machine?

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle.

It’s always a 4 step cycle, like “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s a washing machine cycle that never stops.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches and medical devices and information system that doubled last year, and security budgets that are shrinking as the US economy stutters – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen – all you need to do is contact us via the site contact form or pick up a phone and give me a ring at +972-54-447.1114.

This is what we do – help you and your team take a leadership role in the board room and secure your medical devices instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

Tell your friends and colleagues about us. Thanks!
Share this
Bridging the security IT gap with BI

How to use BI to improve healthcare IT security

Information technology
management is about executing predictable business processes.

Information Security Management is about reducing the impact of unpredictable attacks to  your  healthcare provider organization.

Once we put it this way – it’s clear that IT and security and compliance professionals, as dedicated as they are to their particular missions – do not have common business objectives and key results. This is why we have so many software security issues – we have software that is developed and implemented with disregard to best practice security.

In order to bridge the gap – healthcare provider IT and security professionals need to adopt a common goal and a common language – a language  of customer-centric threat modelling

Typically, when a healthcare provider ( whether a hospital, HMO or primary care provider) needs  software application,  an IT consultant will do a system analysis starting with business requirements and then proceed to propose a solution to buy or build an application and deploy it.

Similarly, when the information security group needs an anti-virus or firewall, security consultants  make requirements based on the current risk profile of the healthcare provider, test products, and proceed to buy and deploy or subscribe and deploy the new anti-virus or firewall solution.

The problem is that the two activities never work together – as result, we get islands of software applications that are not integrated with the company information security and compliance portfolio and we get information security technologies that are unaware of the applications and in a worst case scenario – get in the way of business productivity.

Michael Koploy of Software Advice explains well on how BI (business intelligence, once the domain of IT expert consultants) is now highly accessible technology in his article 4 Steps to Creating Effective BI Teams.

Business intelligence–the use of sophisticated software to analyze complex data–is no longer the domain of a centralized group of IT staff or advanced data analysts. Today, powerful and Web-based BI tools are accessible to a wide range of business users.

BI is everywhere, and it’s everyone’s job. But with this proliferation comes new challenges. Teams of BI users today often lack the structure, guidance and leadership to effectively mine data. In this article, I’ll share four steps to establish guidelines, organize teams, delegate data management and allow the success of the BI team to permeate and drive innovation throughout the business.

I agree with Michael.

By using BI – we can explore vulnerabilities in business processes and bring the information back to healthcare IT and security management in a constructive way and start building that common language between healthcare IT  and healthcare security management that is so essential to protecting patient health records.

Tell your friends and colleagues about us. Thanks!
Share this
snake oil 2.0

Snake Oil 2.0 – why more data is bad

Why more data is bad

Remember the old joke regarding college degrees? BS = Bull Shit, MS = More Shit and PhD == Piled Higher and Deeper and HBS == Half Baked Shit.

In Western society, we are schooled to believe that more and faster is better – even though we can see that big data analysis is paying off in a very small number of use cases (everyone is quoting personalized genomics and drugs)  and that large scale data breaches are the direct result of hackers going after the big juicy customer data sets.

Your marketing, technology, logistics and business development staff are all information junkies, not getting enough and wanting more.

Is lots of data really  good for business?

Our customers often feel they are not getting enough information – even though the sales and the product management staff feel that they (the staff) provide them (the customers) with lots of information via interactions  online, by phone, email, at face to face meetings and in formal product presentations.

Your CRM statistics may tell a story of high impact private networks for sale, the number of  online seminars and Web site visits and engagement but  customers often feel that they are getting no useful information at all from their vendor and account managers.

When customers and decision makers finally  do have a private, face-to-face meeting with a salesman and technology expert in the privacy of their office, they almost always feel that they have been given valuable information, even if they are unhappy with the answers or want to seek a competitive offer.

Why does this happen?

Utility is reference-based and not additive

As prospect theory predicts, utility (the value of a product or service) is reference-based and not additive.

In other words, more data from technical, sales and marketing staff and customer support groups is less valuable than data received when the frame of reference is a private consultation with a senior product manager regarding a technology solution – for example, data loss prevention technology to prevent data leakage of patient records in a large hospital organization.

Framing favors customers overrating a face-to-face visit with an expert sales engineer and underrating digital communications – even if the technical content is identical.

Framing effects in the customer relationship may also be related to cultural and societal factors.

In countries where managers function within a hierarchy, decision makers will tend to  value personal visits from senior sales engineers over email, social media, Dr. Google and online technology forums.

Framing effects create mismatched perceptions and expectations in an asymmetric relationship – where technical decision makers  (at the bottom of the totem pole) get information but do not value it and sales and engineering staff (the experts at the top of the totem pole) provide information and expect the customer to value the information and then become frustrated when their prospective customer downgrades the value of their messages.

Closing the gap between vendor messages and customer assessment of quality is critical to customer satisfaction, improving the customer relationship and achieving higher sales and product satisfaction.

From a data security perspective – storing less data is more secure than storing more data.

From a sales and marketing – getting   a small number of  right messages out  to the customer is good marketing and effective sales.

I’d love to hear what you think – drop me a line or a comment on the blog and tell me where I’m wrong.



Tell your friends and colleagues about us. Thanks!
Share this