Retailers Report Sales Bounce Using Security Certificate

[InfoSec News <isn () c4i org>]

http://www.informationweek.com/story/showArticle.jhtml?articleID=8800552

By George V. Hulme 
Apr. 22, 2003

Sites showing proof of increased Web security say that up to a third
more people went beyond shopping and actually bought, according to an
auditing firm.

Can you boost sales on your Web site by promoting your use of tough
security? Web-site auditing firm ScanAlert argues that the answer is
yes and says it has the facts to back up that claim.

ScanAlert says it has analyzed the shopping behavior of more than
300,000 visitors to 11 online retailers. Sites showing "proof" of
increased Web security enjoyed a 10.5% to 33% boost in converting
browsers to buyers.

ScanAlert's service, Hacker Safe, does what standard Web-site
security-scanning software does, only with a twist. Starting at $149 a
month, the company scans Web retailers' sites for security holes,
which are often caused by unpatched systems or unnecessary services
running. If a site is found to be vulnerability-free, it qualifies to
post the Hacker Safe certification on its site. Retail Web sites are
scanned daily, and, should a vulnerability show up, they have 72 hours
to fix the flaw or lose the Hacker Safe designation.

In a test begun in October, half the visitors to participating Web
sites were shown the Hacker Safe certification, while the other half
were not.  Online retailer Clubfurniture.com reported a 33% increase
in buyers among those shown the certification, Binoculars.com improved
sales by 32%, and CDconnection.com saw an increase of 13%.

"The results surprised me," says Ken Lovett, president of
CDconnection, which has been selling CDs online since 1990. He also
notes that a site has to work to display the certification. "You have
to keep earning the right,"  he says. If a problem is spotted, "you
get an urgent alert and have to fix it or they'll bounce you."

No automated vulnerability-scanning application can spot all flaws
that might leave an open door for hackers. But ScanAlert says its
service will protect consumers from 99.9% of credit-card fraud and
identity theft caused by hackers.

Analysts aren't so sure. "That's hyperbole," says Eric Ogren, a senior
analyst with the Yankee Group. But using the service does send a
message.  "It shows that the retailer is doing much more that other
retailers and that security is important to them." Ogren says he
doesn't know of any other vendors providing a similar service.

In the past year, numerous Web sites have been hacked and crucial
customer data stolen. That has made some people leery about shopping
online.

Consumer Janell Elyea, who has been buying things from Web sites for
about five years, says she's cautious. She uses the same credit card,
which has a modest credit limit, for all online purchases. "I look
carefully at my billing statement every month," she says. She says the
Hacker Safe certification would give her some added confidence, but
not much. "I don't think I'd choose one retailer over another because
of it," she says.  "There's really no way to make Web sites completely
safe. I think most already know that the little lock at the bottom of
the screen doesn't mean much of anything."

Perhaps. But Web sites that see a boost in sales find ScanAlert's
sales pitch compelling. "Just a 1% boost would have justified the
expense,"  CDconnection's Lovett says. If such sales increases hold up
over the long term, more online merchants are likely to see if they
also can boost sales by boasting of better security.

Elyea says she'll continue to check her credit-card statement each
month, even from sites sporting the Hacker Safe certification. That's
a good idea.  ScanAlert's disclaimer reads, in part: "ScanAlert makes
no warranty or claim of any kind, whatsoever, about the accuracy or
usefulness of any information provided herein or the security of the
Website herein rated."

According to ScanAlert, less than 2% of Web browsers bother to click
on the certification mark to read the disclaimer.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.