IT Security - Use Facts and not FUD for solution proposals
The article below notes that FUD (Fear, Uncertainty, and Doubt) may be used to "sell the need for security" to home users or even in some organizations. FUD means that exaggerated claims are used to alarm folks into making security decisions. However, I believe most corporate security professionals (as least those I've worked with) thoroughly research options and present as much factual information as possible to IT management.
Corporate security is a business requirement. Granted, it's sometimes difficult to ascertain and quantify in real dollar terms. It entails risk management to address potential losses in a cost effective manner. The potential consequences of not acting to address true exposures should be shared in a professional manner without the use of FUD.
In some respects, it's important to occasionally "cry wolf" when major exposures surface. However, as the article notes, It's important to be factual and "to keep the powder dry" in over-alerting folks to maintain credibility.
If there's a strong potential of attacks for a highly vulnerable exposure, IT Security needs to be alert all affected areas to work pro-actively in preventing it. You always want to "patch the roof before it rains", which could be immediately or several weeks away.
I agree with some of the constructive criticism noted in the article. Security professionals need to apply due diligence in properly researching solutions. The use of facts rather than FUD over time will improve management's perception of IT security as the critical business resource it has become.
Security Reference Guide - Three Reasons Why Users Won't Buy Into Security
QUOTE: As if to bolster the viewpoint that the security community only has fear to offer their users, when was the last time you every heard anything good about a security solution or process. For example, have you ever seen the headline "XYZ Firewall Prevent Hackers from Blowing Up a Power Plant!?" Unlikely. Instead, security related news that does make it to the general community deals with viruses, malicious hackers, and scary scenarios that paint a really bad picture of the digital world. Ultimately, it is fairly obvious that FUD tactics are the primary method by which the security industry obtains and maintains their consumers.