Stanley Tan
About   ·   Archive  ·   @stnly

Reducing Perceived Risk

Blue Mountains

There are only a few reasons why someone would pay money for something. Most of the time it is to scratch an itch. They seek to exchange a value (cash) that they have, for a value that your product proposes (solving their problem).

Here’s where things get interesting. Before making a decision, you can expect customers to perform risk assessments on your product. I have noticed that the time spent on these assessments (otherwise known as product research) is related to their perceived risk of the product. It could be a conscious or subconscious act but it happens all the same. Some purchases take a couple of seconds, while others can span months or even years. Furthermore, individual customers have their own perceptions depending on their individual circumstances. Here are a few different ways that can cause perceived risk to increase.

There are 5 factors which contributes to the total perceived risk that affect software as a service products. They are namely functional, social, psychological, financial and time. Together, these factors contribute to the customer’s decision making process. We’ll take a look at some of these factors as well as examples of techniques to reduce perceived risk.

  1. Functional. Will the product perform according to expectations? What features does it have?

    Provide a free trial or free tier. Customers should feel comfortable taking your product for a “test drive” before committing. If you can’t afford to provide a free trial, maybe consider doing a video demo or a screen cast that will portray the workflow of the product. This way, they would know that the product works before handing over their credit card details.

  2. Social. How would my boss or peers think when they find out?

    Getting social proof is a chicken and egg problem. People won’t use your product unless you have enough social proof, and you won’t have social proof until people use your product. The good news is early adopters are less risk averse to this factor.

    Testimonials and endorsements by well known people and businesses in your target market can help convince customers too. Social proof is all about the wisdom of the crowd. If enough people say it’s good, it reduces the perceived risk. Guest posting on other industry blogs and other outreach efforts will help with awareness.

  3. Psychological. Is this a business I want to support? Does it have the same values as I do? Will it disappear overnight?

    The way you communicate with customers reflects your values. That includes everything from the copy on your landing page to the retention emails you send out.

    Add photos and short bios of your entire team together with links to their email and social media accounts on the about page. It portrays availability and helps customers put a face to the business.

  4. Financial. Can I or my business afford this product? Is it priced higher than it’s competitors?

    Generally, it is hard to beat other products based on price alone. Base your pricing on the value that your ideal customer will receive. Paying $99 per month to solve a real business pain would not be an issue for many businesses.

  5. Time. How much effort do I have to put in to switch over to this new product?

    Always guide a new user with an on-boarding process. Explain features and point out important links in the product. The ideal on-boarding process would walk a user through the product all the way until the aha moment.

    You can also make it super easy for customers to switch to and from your product with one click importing and exporting of data. Examples include blogging platforms such as Wordpress or Tumblr.

I would love to hear and discuss techniques that work for your business. If you need help reducing perceived risk on your product from my point of view, feel free to reach out.

Photograph is of Blue Mountains, NSW, Australia. It’s about an hour or two west of Sydney.



This is an apocalypse. The world is on fire. The sky is falling. Everything you hold sacred has now turned to dust.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.


Earlier today, a bunch of security researchers unleashed CVE-2014-0160 (CODENAME: Heartbleed) into the world. It is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). It powers about 66% of internet connected devices. I can guarantee that everyone who uses the internet would use it at some point in their day to day activities.

What’s frightening is that this bug has been around for more than 2 years. It is extremely likely that it has been exploited by multiple intelligence agencies and blackhats. Exploitation of this bug also leaves no traces of anything abnormal happening in the logs.

Note that both servers and clients are affected. This means that a malicious server could dump the secrets in your client’s memory without you knowing.

In short, the vulnerability disclosed allows an attacker to read the memory of the affected system. Memory is where an attacker would find passwords and private keys as well as other decrypted and sensitive information.

Don’t understand the severity of this problem? Imagine walking up to any stranger and saying “Hey, how’s it going?”. Immediately, he/she will share with you whatever was on their mind at that point in time. It could likely be a private thought, a secret they do not want anyone else to know about. You could keep asking as many times as you wanted and the stranger would tell you new things each time. On top of that, the stranger would not have a clue of it occuring.

As an end user, there’s nothing much you can do. Except, turn the internet off and go for a walk until the bug is patched. Do not use any web services that are vulnerable as they may leak your username and password, or worse credit card information. More importantly, do not visit sites that you do not trust.

Change your passwords and API keys only after web services fix the issues. Prematurely changing them could be riskier than leaving them unchanged. Information used most recently are the ones being leaked. For example, private keys are leaked on the first request after a restart.

If you own a server that runs OpenSSL, here’s a list of things you should do.

  1. Update OpenSSL. Your distribution most likely would have patched and tested the package.
  2. Recompile everything that is linked to the old version of OpenSSL. Pacakges such as Nginx and Ruby do so and you’ll have to recompile them.
  3. Reboot the server. Ensure everything is running on the patched version.
  4. Generate a new private key, Certificate Signing Request (CSR) and get a new certificate. Consider your old keys compromised and revoke them. Get a brand new set.
  5. Change any passwords you use on the servers. Passwords are kept in memory and could have been leaked.
  6. Generate and switch to a new secret if you’re using cookie based sessions in Sinatra or other web frameworks. Expire all active user sessions.
  7. Get your users to change their passwords. Passwords should be considered compromised as the server leaks memory and past traffic can be decrypted.
  8. Check your SSL configurations. Don’t support older protocols and broken SSL ciphers. Enable Perfect Forward Secrecy (PFS) and HTTP Strict Transport Security (HSTS). You can also choose to cache SSL sessions for improved performace.

Some PoCs have since been released.

Getting Serious


I wish I had known this when I was much younger, and now I try to tell it to almost everyone I know who is younger than me. Even if I know they won’t get it and continue doing what they used to.

Young people, like you, especially these days, do not do much. They do their school work to get by in school and not much more. They spend their free time on social networks, partying, shopping, watching TV and playing computer games. Young people think that they should act or behave a certain way. They know that they aren’t adults. As such, they think that there is a dotted line that they can’t cross. However, the fact is that this dotted line doesn’t exist. Anyone can behave like an “adult” at any point in their lives. After a while, people do realise it. Unfortunately, most of the time, it is just a bit too late.

A manifestation of this behaviour is the keenness on life after graduation. People think that after they graduate, they are able to cross the non-existent line and finally start behaving like adults. Except, that doesn’t happen. It’s not difficult to observe that when people graduate, most of them have no idea what to do. They just limp along towards adulthood, getting jobs they don’t like with no concrete plans. Some even yearn to go back to school. The earlier you find out that you are not bound by any sort of constraints, the earlier you’ll be able grow.

Since most young people don’t do anything, any sort of achievement will put you under the spotlight. Get serious and spend a couple of hours a day on creating something, anything. Start a business, learn to play the piano, write a book, build a web application, anything impressive. The thing you end up with is almost immaterial. What matters is the process. By trying to do something challenging and deciding to be serious about it, you will learn a lot about resilience and drive. I would argue that these are the two important skills any self-reliant person should exhibit, among others. And when you get good at it, you’ll be more confident and start realising that you can do anything.

If you are serious about something and start talking to others about it, no one will say “Oh but you are just a kid, you are not allowed to do this.”. Quite the contrary, you’ll impress them as no one that young is that serious about anything. And you can’t fake this stuff. They will know because if you are actually serious, they can see it in your eyes and hear it in your voice.

Getting good at something also negates the power of certification. You will realise that any sort of certification is not representative of how good a person is at a particular skill. Certificates in some cases represent knowledge. Yet most of the time, it only represents test taking ability.

I’m not saying that you should be serious about everything not have fun. Going out with friends is also important as it lets you bond with them and create memories that you can look back on. Additionally, having fun when young is an entitlement. It stops you from feeling like you never had a childhood. Everyone else is having lots of fun and not being serious. Give yourself an advantage, spend a couple of hours a day being serious, and spend the rest of the day having fun.

Photograph is of a beautiful duck in Dunedin, New Zealand. I managed to get extremely close to it for the shot. It was at a pond near a public duck feeding area.