Tina M. Loraas
Businesses are being targeted by cyber-extortionists at a minimum cost of hundreds of millions of dollars per year (Computer Crime and Security Survey 2004). A top reason listed for failure to incorporate better system security the inability to persuade top management of its value (Ernst and Young 2004). Previous studies suggest that quantitative arguments are more persuasive than qualitative arguments in business proposals, suggesting that proposals including the quantitative costs and benefits of system security would be appropriate to present to management (Porter 1995; Birdsell 1998; Kadous, Koonce, and Towry 2005). Due to the difficulties in quantifying returns in some projects, I look to theory in psychology to show when qualitative proposals would prove more effective. Goal framing has shown that emphasizing the negative is more persuasive than emphasizing the positive (Levin, Schneider, and Gaeth 1998). Following, I propose and find that in settings when the outcome is uncertain in quantitative terms, that qualitative arguments that accentuate the potential to avoid negative outcomes associated with lesser security are more persuasive than quantification.