If I offered you $10 now and $15 next week, which would you choose? Depending on your personality, you might think the obvious choice is to wait until next week and get 50% more money, but studies in psychology have shown that the majority of people take the money and run.
The effect is called intertemporal discounting, and it — in part — explains why we so often hear about security breaches which could have been avoided.
Intertemporal discounting says that the further away a consequence is, the more we “discount” it. There’s an obvious benefit to waiting a week for the extra $5, but people tend to discount that $5, considering $10 now more valuable than $15 in a week.
With that in mind, think about a startup that has a decision to make. They have to decide whether to spend time properly implementing a security feature that will help keep user data is safe over the long term. The alternative is to implement a user-facing feature that will attract new users immediately. Which option is the startup likely to choose?
Everything else being equal, the smart choice is probably to focus on the security feature. If, a couple of years down the line, a hacker compromises the service and steals sensitive user data, the entire project will be jeopardized. The benefits of the user-facing feature is just a few new users.
But of course, businesses often choose the user-facing feature, because they discount the future impact of a security breach.
When building applications, developers and executives face thousands of decisions of this sort. Discounting means that very often, security, which has little immediate benefit, is neglected.
Executives and managers want immediate rewards: positive metrics in the short term. Developers want to work on interesting features, not the security basics that don’t offer any immediate reward.
We can see an example of this in the Ashley Madison hack from a couple of years ago. A developer added a small convenience function that made life easier in the short-term and caused a long-term disaster. It’s entirely likely that the developer and his superiors knew the potential risks, but the small immediate benefit completely overshadowed them.
It’s not that developers and executives don’t care about or understand security. They often understand perfectly well. But in a pressured environment that rewards immediate results and disregards security because the negative impact is further in the future, it’s all too easy to make a decision with catastrophic results.
What can companies do to combat discounting of this sort? Take security seriously. Understand that building secure applications on secure cloud platforms lays the groundwork for future success. Make building secure systems part of the culture of your business.
Discounting isn’t the only contributing factor to poor security, but it is important to understand how discounting can impact the way decisions are made if the industry is to avoid damaging security breaches.