Blog posts by guest authors

Decentralized Identity 101: What It Is and Why It Matters

Guest Author: Vinny Lingham, CEO, Civic Technologies

Bitcoin. Blockchain. Crypto. Decentralization. Tokens. A lot of buzzwords have emerged alongside the rise of blockchain technology. Yet, there is often a lack of context about what those terms actually mean and the impact they will have.

Decentralized identity re-envisions the way people share access, control, and share their personal information. It gives people power back over their identity.

Current identity challenges all tie back to the way we collect and store data. The world has evolved from floppy disks to the Cloud, but now, every single time that data is collected, processed, or stored, security and privacy concerns emerge. With the rise of the digital economy, consumers have unintentionally turned banks, governments, and stores into identity management organizations, responsible for the storage and protection of an unprecedented amount of personal data. Unfortunately, as recent hacks have shown, not all of them were ready to deal with this new role.

Decentralized identity puts that power and responsibility back in the hands of the individual, giving them the ability to control and protection their own personal information. This concept is made possible by the decentralized nature of blockchain and the trust created by consensus algorithms.

How Blockchain Creates Trust

The most prominent blockchain application to date is Bitcoin, a technology that emerged following the U.S. financial crisis of 2008 when trust in institutions was at an all-time low. Blockchain technology, specifically the public blockchain, has several unique characteristics that solve problems of trust and make it a great fit for identity solutions.

First, blockchain is immutable, or unchangeable. Blockchain transactions are processed by a network. Computers work together to confirm a transaction, and every computer in the network must eventually confirm every transaction in the chain. These transactions are processed in blocks, and each block is linked to the preceding block. This structure makes it reasonably impossible to go back and alter a transaction. Additionally, blockchain is transparent. Every computer in the network has a record of every transaction that occurred.

Decentralization is the essence of blockchain: no one party control the data, so there is no single point of failure or someone who can override a transaction. Second, it is reasonably impossible to alter blockchain transactions. And this is how blockchain builds trust: when data cannot be modified and is independently verifiable, it can be trusted.

How Blockchain Helps Decentralized Identity

Currently, there is a presumption that knowledge of information is identity. If a person knows a social security number or password, they are presumed to be the person who that information represents. And if a person knows your personal information, they can impersonate you.

Using blockchain technology to decentralize identity is about digital validation and keys. For example, a digital wallet with cryptographic keys that cannot be recreated. You must have physical access to a device to validate identity. With a decentralized identity system, a remote hacker might have access to pieces of personal information but being able to prove an actual identity would require physical possession of that person’s device. Decentralized identity is literally putting the power back in the hands of the people.

Why It Matters

In 2017, Equifax became one of the worst data breaches in corporate history, exposing personal information of over 147 million people, including Social Security numbers, dates of birth, home addresses, driver’s license numbers, and credit card numbers.

In 2018, the Cambridge Analytica scandal about user data misuse has continued to unfold, as the F.B.I and Justice Department are investigating Facebook for failing to safeguard 87 million user profiles.

Equifax and Cambridge Analytica are two prime examples of how current systems for sharing and storing personal information have proven to be not as safe, secure, or trustworthy as previously thought.

And everyone feels this impact.

Governments are implementing more stringent laws and regulations for consumer protection. In May, the General Data Protection Regulation (GDPR), a standard for data collection and storage, went into effect. In July, California passed the California Consumer Protection Act enacting similar standards. And this is probably the first in a wave of consumer protection and privacy policies that will come to life.

Consumers are concerned as well. In a recent Deloitte study, 81 percent of U.S. respondents feel they have lost control over the way their personal data are collected and used. 

The ability to prove you are who you say you are is critical to engaging with the world and being a part of the economy. Decentralized identity gives that control back to people. 

Get to know more about Blockchain and listen to my Keynote "Practical Examples of Decentralized ID's in the Real World" at the Consumer Identity World USA in Seattle in September.

For a deep dive into the Blockchain topic please find the following blog posts:

The Digital Transformation and the Role of the CISO

Cybersecurity needs to be at the heart of the digital transformation, but organisational models will have to evolve

Cybersecurity is in the process of becoming an essential component of any organisation’s digital transformation journey. There is no way around this, especially as policymakers start dipping their toes into privacy and security issues, and societal norms are shifting on the topic.
Most new technology layers enabling the digital transformation need to be protected from interference, intrusion, or corruption. This is especially the case across industry sectors seeking to take advantage of the enormous opportunities offered by driverless vehicles and the logistics sector – amongst others - could be unrecognizable in ten years’ time.

New technologies will also generate and feed on massive amounts of data - most of it sensitive or private - that will need to be collected, processed, and safeguarded in a way that is both sensible and ethical. The concepts of security by design and of privacy by design will inevitably become any organisation’s best allies in its innovative endeavours and must be taken seriously by all digital transformation players, especially as the regulatory and social contexts become harder to navigate.
There is no doubt – in our opinion – that organisations which put information security and privacy at the heart of their digital transformation from the start could obtain a real competitive advantage in the mid-to-long run.

As a matter of fact, the recent launch of the General Data Protection Regulation (GDPR) in the EU is changing dramatically the incentives landscape for all businesses active in Europe. In addition to the fines of 4% of the global turnover, firms are now required to report any relevant data breach to the regulator within 72 hours. This will require capabilities of detection, analysis and reaction, which go far beyond the scope of the security teams and will force many corporate stakeholders to work together on those matters (security, IT, legal, DPO teams, senior management etc…). As such, the GDPR could be a painful lesson as to why cybersecurity is necessarily a transversal matter for organisations of all sizes.
Finally, and perhaps most importantly, respect for privacy and the protection of personal data is likely to become a true competitive advantage as our societies become increasingly warry of these issues.

This shift is well illustrated by the first complaints filed under the GDPR framework. Privacy activists such as Max Schrems or the French Quadrature du Net, for example, have already started to drag high-profile tech companies (Facebook, Google, Instagram, etc…) into what could become lengthy legal proceedings. Depending on how the regulators react, this could have deep implications on how data-driven businesses are to operate in Europe.

Increasingly, security and privacy become intertwined, but it makes little sense from a corporate governance perspective to allow a new privacy organisation under a DPO to grow in parallel to – or in conflict with – existing security structures. Synergies are obvious and need to be leveraged, and where security practices are deemed dysfunctional or in need of improvement, this could provide an ideal opportunity.

In fact, it could be the start of a major evolution around corporate perceptions of security and privacy, from burden, annoyance and costs, towards becoming central management functions. But organisational models will have to evolve as a result to accommodate the truly transversal nature of security and privacy matters and carve out a niche for those new corporate functions.

A New Transversal Organisational Model

At this junction, the traditional role of the CISO – heavily influenced by a technical bias, tactically-oriented and project-driven in many firms – could become exposed.
Not in its functional existence – IT security is more essential than ever – but in its corporate prominence. Having failed to project their roles beyond the tactical and technical fields for the best part of the last decade, many CISOs could find themselves pushed down the organisation while CSO and DPO roles take centre stage at the top.

With those new roles should come new people and a new focus, and probably a different way to approach security matters and talk about them.

We could be at the start of an exciting decade for all security professionals.

Learn more about this topic in my session at the Cybersecurity Leadership Summit 2018 Europe, November 12-14, 2018 in Berlin.

*** Please note this is a guest blog post and does not necessarily represent the opinion of KuppingerCole ***

Cross-Border Data Management and Cybersecurity: Walking the Tightrope of Compliance and Business Efficiency

Guest Author: Jordan L. Fischer, Esq., Co-Founder & Managing Partner of XPAN Law Group, LLC

Technology is changing rapidly, correlating in an increasing amount of data collected every second.  These technologies cross-borders and allow businesses to operate on a global scale, at a rate never before seen.  However, the corresponding legal infrastructures operate with borders -- hard borders -- that make the exchange of data, both internally and externally, complicated and challenging. 

In the last two years, new data protection regulations have gone into effect in a number of different regions:  Japan, China, Australia, and most recently (and with the largest “bang”), the European Union.  Each of these regulations imposed  nuanced requirements on companies, often asserting data localization requirements, implementing the principle of transparency and including consent initiatives when these organizations collect and process data. Most importantly, companies need to proactively be aware of the implications of the technology they use and the data they collect which depending on the regions in which they operate.  

This changing legal landscape is no more apparent than in the European Union (EU), with the General Data Protection Regulation (GDPR).  The GDPR imposes a number of proactive privacy measures on entities, both within the EU and outside of the EU, that are poised to drastically change the way businesses maintain and exchange data from within the EU.  At its core, the GDPR asserts data privacy and security principles on companies.  The GDPR does not discriminate depending on the industry or the size of the organization.  It universally and equally requires  data minimization, data localization, transparency, and accountability by all organizations.  The GDPR empowers data subjects to take control of the data collected by companies about them, and to require that those companies to account for all processing of that data, and all third-parties who have access to that data.

The “GDPR model” is becoming the de facto standard.  Canadian data protection laws are changing this fall, bringing them more in line with the the GDPR.  Even individual states are moving more towards providing similar data protections as the GDPR:  California is in the midst of a debate of how much control to give data subjects regarding their data.  What started as a potential ballot to be included in the fall elections has now become a bill in the California state legislature and appears to provide similar data protections as many of these international regulations.     

These varying principles of data privacy and cybersecurity converge when organizations exchange, transfer and process sensitive information across borders and, as such, implicate a number of different regulations. Take for example the growing prevalence of cloud storage, with companies opting to store data and systems off premise, in a data center located in a specific location, or in multiple data centers. Either option directly correlates with a legal obligation and potential ramifications for regulatory compliance and contractual agreements.

When addressing cross-border data management, companies should take key steps in order to better understand any legal obligations or liabilities, before an issue arises.  The first step is knowledge:  What data is collected? What is done with that data? Where is that data stored? These regulations increase the power of the data subject, which dovetails into a burden on companies to provide the necessary transparency, both prior to and after the collection of data.  In order to provide accurate information to meet these obligations companies need to know, before collecting the data, what it intends to do with that data.      

Second, a company needs to know who has access to that data.  This is both internal access -- a company’s own employees-- and external access -- third-parties or partners.  Understanding the “who” is involved in a “data transaction” is key to ensuring security along that entire chain and providing the necessary transparency to the data subject.  The use of processors and sub-processors is common -- but, companies need to ensure that each party involved understands its obligations and adequately protects and secures the data.

Third, a company needs to understand the data lifecycle: how long is the data needed? What happens when we no longer need the data? Data storage is expensive, especially if additional security measures are needed such as encryption or redundancy.  Often, companies are not even aware of all of the “old” data that it maintains -- old data that is no longer useful but remains a liability in the event of a breach.  Creating “house cleaning” policies (i.e. data destruction and retention policies) is key to decreasing costs and potential legal ramifications.

Ultimately, companies need to understand this convergence of domestic and international data obligations and its effect on creating efficient and secure data management practices in order to meet the needs of the business.  Technology and data is like a spiderweb within an organization -- it impacts a number of different business units, and requires a holistic approach.  Taking key steps early-on in the data collection process can drastically minimize long term costs and liabilities. 

Learn more about this topic in my session at the Consumer Identity World September 19-21, 2018 in Seattle.

* * * * *
Nothing contained in this blog post should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.

Some Perspective on Self-Sovereign Identity

Identity isn't hard when you don't always use it. For example, here in the natural world we are anonymous—literally, nameless—in most of our public life, and this is a handy thing. Think about it: none of us walks down the street wearing a name badge, and it would be strange to do so. A feature of civilization is not needing to know everyone's name, or details about their lives, and to give others information about ourselves on a need-to-know basis.

To be anonymous, however, does not mean to lack distinction. In fact to be human is to be distinctive: designed by nature to look and sound different than other people, so we can tell each other apart. We also add to our distinctions through clothing, jewelry, haircuts, mannerisms and body art. Our souls are also profoundly original in ways that transcend our genetic portfolio. For example, television star Laverne Cox has an identical twin brother. So does transgender activist Nicole Maines. Being distinctive helps relieve us of the need to disclose our names all the time, because in most cases all we need is to be recognizable, or familiar, not identified by name. This too is a grace of civilization.

Our identities are also profoundly personal, and often complex. We start with the names given to us by our parents or our tribe. After that we add abbreviations and nickames, which have conditional uses and conventions. For example, my father was named Allen, but most people called him Al. He and my mother, who was named Eleanor and sometimes went by El, named me David Allen. Mostly they called me Dave. My son Peter's middle name is also Allen, and that's the name he mostly goes by, while family members call him Pete. When I worked in radio, somebody called my on-air persona "Doctor Dave." Then, after I started a business with a one of my listeners whose name was also David (and who didn't like being called Dave), he and our co-workers called me Doc to avoid confusion. As my social network expanded through our growing business, the nickname stuck, and I've been mostly called Doc ever since. (By the way, years after we went into business, I found out David's first name was Paul. David was his middle name. Nobody, even in his family, called him Paul.)

Everything I just described falls under the heading Devon Loffreto was the first to call self-sovereign identity: the kind fundamentally under the control of a single (or sovereign) individual. All the systems by which organizations give us identifiers he calls administrative.

From their start, administrative identity systems have had a hard time coping with the simple fact that identifiers are optional among human beings having human interactions in the natural world, that our default state within those interactions is to be anonymous yet distinctive—and that we especially value anonymity. Proof of how much we value anonymity is the exception to it we call celebrity. Ask any famous person about the cost of their fame and they'll tell you it's anonymity. The bargain is Faustian: while there are many benefits to celebrity, it is also a curse to be recognized by everyone everywhere, and known by name.

The world's administrative systems have little use for anonymity. After all, they require identifiers for people, so they can know who they are serving, arresting, or sending messages. Knowing people by name has many advantages for administrative systems, but also presents problems in the networked world for both those systems and human beings. Requiring "an ID" for every person puts operational and cognitive overhead on both sides. In the natural world, a boundless variety of business interactions only require that the business know who they encounter is human, trustworthy, and worth the time and effort.

In the networked world, however, we are still stuck with systems comprised of “identity providers” and “relying parties” that reduce individuals to mere “users” burdened with logins and passwords—or convenienced by the Faustian bargain of "federated" identities that let them login with Facebook, Linkedin or Twitter. In these systems, who we are as individuals is secondary to the needs of identity providers and relying parties and the transactions their systems perform, most of which eliminate anonymity. This is dehumanizing. Even the GDPR, which was created to cause respect for personal privacy, and to protect it, reduces us in compliance considerations to mere “data subjects”: a label that is barely less demeaning than “user” and “consumer.”

While these systems are digital, their legacy designs are industrial: top-down and one-to-many. They also grew into their current forms within the architecture of the client-server Web, rather than atop the peer-to-peer (aka end-to-end) Internet beneath the Web (and everything else). This made sense in the early days of dial-up and asymmetrical provisioning of bandwidth, but is a stale legacy in a time when everyone has ample bandwidth in both directions, most commonly on a mobile device that works as an extension of one's body and mind.

In today's networked world, we need approaches to identity that start with human agency, and are modeled on the way each of us operates in the natural world. We should be able to disclose and express our distinctions, choices, requirements and existing relationships with ease—and with anonymity as the defaulted social state until we decide otherwise.

These are the base requirements addressed by many of today's pioneering self-sovereign identity systems and approaches. Here's the key thing to bear in mind: while self-sovereign identity needs to work with existing administrative identity systems, self-sovereign identity cannot be fully understood or explained in terms of those systems—any more than personal computing can be explained in terms of a mainframe, or the distributed Internet can be explained in terms of a centralized LAN.
When each of us has full control of our naturally self-sovereign identity in the networked world, there is no limit to what we can do—while the limits of administrative systems are painfully apparent. (Example: logins and passwords, which everyone hates.)

This doesn't mean, by the way, that we should throw out the great work that has been done with administrative systems, especially those that have obeyed Kim Cameron's Seven Laws of Identity, which he first wrote in 2004. Here they are:

1.    User control and consent
2.    Minimum disclosure for a constrained use
3.    Justifiable parties
4.    Directed identity
5.    Pluralism of operators and technologies
6.    Human integration
7.    Persistent experience across contexts

Today those laws apply to both self-sovereign and administrative identity, and remain an especially helpful guide if we change the first word in that list from “User” to “Personal.”
The time has come to humanize identity in the networked world by making it as personal as it has been all along in the natural one. We can also make progress a lot faster if veterans of administrative systems try to understand self-sovereign approaches from the perspective of how they, as naturally sovereign human beings, choose to be known.

The Power of Utility in the Future of Marketing

Guest post by Christian Goy, Co-founder and Managing Director of Behavioral Science Lab

In the future, marketing will be driven neither by demographics, on- or off-line behavioral identifiers or psychographics, but by understanding and fulfilling the individual utility expectations of the consumer.

Mitch Joel captures this view of future marketing by concluding, “If the past decade was about developing content and engagement strategies in social channels (in order to provide value, humanize the brand, be present in search engines and more), the next decade will be about the brands that can actually create a level of utility for the consumer.” 

No one disputes that a persuasive marketing message or social media campaign drives web traffic. However, if your brand does not deliver utility, it will not be purchased. Consumers do not love brands because of their brilliant ad campaigns or funny videos on Facebook. Consumers love brands that create utility or true value for themselves; this is what creates affinity between the consumer and the brand, not just the brand attributes. Utility is what consumers believe they cannot live without.

Utility is the heart of behavioral economics. The utility of each product or service is determined by a very specific set of psychological and economic elements, which determine how the consumer determines the expected value (utility) of each brand. Relative differences in expected utility associated with each choice option determines how much consumers will pay, what they purchase and how loyal they expect to be. Interestingly, we are learning that the economic and psychological factors that determine utility and purchase have little or nothing to with the buyer’s demographics or psychographics.

In none of our studies did demographic or psychographic segmentation explain why consumers switch or remain loyal to a brand. However, when consumers were typed by their utility expectation for individual brands, our clients were able to predict with extreme accuracy whether the consumer would stay loyal, switch away from their brand, and more importantly, why.

Knowing the expectation of utility explains why Instacart — an app that lets shoppers buy all their groceries online from any grocery store and have them delivered to their doorstep — became an instant hit for a small, but important, percentage of US shoppers.

Old line marketers assumed that a certain percentage of US shoppers with relatively high household income and education, who were environmentally savvy and attracted to organic produce would remain loyal Whole Foods or Trader Joe’s shoppers. What they didn’t understand was that the utility for those shoppers was not driven by their demographics or psychographics, but by what they were looking for — convenience, ease of shopping and minimal shopping time which could not be fulfilled by either Whole Foods or Trader Joe’s.

What is next for marketing?

To remain effective, marketing must move beyond traditional segmentation, psychographics, and message development strategies. Marketers should first understand what drives true utility for their consumers — what consumers value, what they can or cannot live without. As some are already doing, marketers will create personalized messages that maximize individual utility expectations requirements by:

Deeply understanding what drives the expectation of the utility of their products — These are the psychological and economic decision elements used by the buyer to define utility.

Defining buyers by their utility expectation — Group buyers on the basis of a similar utility expectation. This allows marketers to be more cost-efficient and effective in their messaging and product offerings because the specific needs of their customers will be met.

Creating products and services that address consumers’ psychological and economic needs — Do not just focus on the product. Understand how the consumer defines utility, and then deliver on it. In our studies, we have found that by only addressing and fulfilling the primary driver in consumers’ utility “equation,” the likelihood of purchase is very high. Just imagine how much greater the likelihood of purchase could be if the second and third drivers were addressed as well.

Product and service utility are the future of effective marketing. Start today with an understanding how your consumers arrive at their utility expectation to stay ahead of the game. 

Learn more about in my session at the Consumer Identity World from November 27-29, 2017 in Paris.

General Data Protection Regulation – Rather an Evolution Than Revolution

Guest post by Tim Maiorino, Counsel of Osborne Clarke

The newest EU legislation on data protection is the General Data Protection Regulation (GDPR) which will be enforceable from May 26th 2018. It will bring several important changes, altering the requirements of data protection law in the European Union.

The GDPR will replace the EU-Directive on Data Protection and, by extension, all transposing national regulation. The GDPR´s objective is to harmonise data protection legislation across the EU and to “protect the fundamental rights of natural persons to the protection of their personal data”, while promoting free movement of data within the EU.

An examination of the GDPR and its rules is inevitable for any business involving personal information, as it provides a uniform standard for data protection throughout the EU and is directly applicable in all member states. Content-wise, German law has served as a role model to the GDPR. Although it replaces most of the current data protection laws across the EU, the changes – though far-reaching – do not override the fundamental principles of the current regime. Rather, it preserves the basic principles while implementing stricter and more extensive rules.

The most significant changes regard the scope and applicability, data governance and allocation of responsibilities, data subjects´ rights (facilitation and expansion), and sanctions, which include heavy fines. The fines in case of non-compliance may be up to EUR 20 Mio. or 4 % of your worldwide turnover within the previous financial year.

Therefore, further action is required by businesses regarding the handling of personal data.

1. Interacting with Data Subjects

The GDPR establishes detailed requirements for both internal and external facing processes and policies, which can be divided into several steps.

Firstly, the internal processes should be identified and any possible information on the future use of personal data gathered.

Secondly, current policies and any external measures taken or information given with regard to the collection and use of personal data should be identified. You should be aware in which circumstances and at what point data is collected and what information the data subject is given on the use of their data. It is also necessary to identify the method used to obtain the data subjects consent, where applicable, and what channels are used by data subjects to file access requests.

Hereafter, discrepancies between internal and external processes can be recognised. It is essential to validate that the external facing policies match the internal processes and actual use of data. Controllers thus need be aware what the data subject (which includes staff, if their data is concerned) is told about how their data is used. When all internal and external processes and policies are known, they can be updated to comply with the detailed requirements in the GDPR. Only if you know your policies and processes, you will be able to ascertain the necessary steps to meet the extended requirements and to provide guidance and training to your representatives and staff.

2. Managing Compliance

You might now consider this more trouble than it´s worth, but there are several ways to facilitate compliance with the GDPR.

For example, there is the option (and sometimes obligation) to appoint a Data Protection Officer who will, amongst others, monitor and work towards compliance with the GDPR. The contact details of the Data Protection Officer should be published and provided to the Data Protection Authorities.

Any data controller should undertake impact assessments and privacy by design as required. All existing processing operations should be identified and current record-keeping arrangements reviewed.

With regard to external policies, controllers have the possibility to use industry codes, which may provide an orientation for handling certain situations to their employees. Also, for reasons of facilitation, using templates for external notifications in case of data breaches may be helpful.

3. Processors and Transfers

Generally, where data is used, it will also be transferred to third parties or processors. As this is regulated by the GDPR, controllers should be aware of and map their (international) data flow.

As requirements for data transfers change, standard form contracts and addenda need to be updated and / or prepared. Also, updates of procurement processes are required and procurement and IT-teams need to be trained accordingly to identify potential issues. Moreover, it is always advisable for customers and suppliers to work together to address changes and potential issues as well as conduct customer and supplier audits to safeguard both parties´ interests.

Although, essentially, it evolves the current data protection law, the GDPR brings several important changes to the obligations of data controllers and processors and to the corresponding rights of the data subjects.

4. Conclusion

Hence, not only is data protection and the requirements it sets our for business dealing with any type of personal information lifted to a significantly higher (meaning: more detailed, stricter and even more complex) level. The prominence of the GDRP brings significantly more attention to the topic and potential breaches are sanctioned more strictly than ever before.

Tomorrow’s Customer Journey Starts In The Buyer's Head

Guest post by Christian Goy, Co-founder and Managing Director of Behavioral Science Lab

The world of customer journeys is a terrible mess. The linear path to purchase does not exist. “Predictable shopping patterns, once so fundamental to marketing and advertising strategy, have gone by the wayside. Persona- and demography driven strategies now fall short – the winners in this new era are the brand and retailers who’ve put a plan in place to meet actual shoppers anywhere along their path to purchase,” says BazaarVoice.

Even though marketers claim to understand, use and predict consumers’ shopping patterns with (1) web and mobile analytics, (2) social analytics, (3) media analytics, (4) customer journey analytics, or (5) voice of the customer analytics, most marketers still do not know why buyers bought their brand or their competitors’. 

Take Jessica for example.  She is looking for a new tote – “a gift for herself,” she would argue. She needs something bigger for her personal items, as well as what her kids need. She wants something that can help her stay organized, is durable, practical and looks good.

She starts her journey on Google search; moves quickly to Pinterest, Instagram, and then reviews a few products sites that sell the bag for which she is looking. Two items look promising. She reads a couple of customer reviews and a week later looks for them in her favorite department store. Unfortunately, the store does not carry either of the two products which were at the top of her list. So she goes back online and finds a retailer’s web site that shows a real person holding the tote she wants and photos of the bag being used to carry diapers. She can tell from the pictures that it will work well for her, and she buys the tote. According to BazzarVoice that journey lasted thirteen days.

The problem is not a lack of understanding touch-points, channels used, time between channels and so forth, but rather a lack of understanding as to why Jessica chose the product she did. Current tools can do an incredible job aggregating the bits and pieces of what a person did — but not why. If marketers don’t understand why people choose a certain product, the path to purchase will always be of secondary value because it is only the means to an end, and not the factors that motivated its use in the first place. Without this basic knowledge, marketers can never put a strategy in place that delivers on what customers truly want, but only how they “get there.”

How Do We Solve That?

Human thinking is complex and trying to fit their behavior, which often appears irrational, is difficult.  The reason Jennifer is using so many channels to gather information is to find a product, which can fulfill the utility she expects from her new tote.

This idea of expected utility or value is at the heart of behavioral economics.  It assumes that the value of each product or service is determined by a very specific set of psychological and economic elements, which play a role in the buyer’s expectation of its value.  The relative value of purchase options determines how much we pay for something and how we decide what to buy.

In Jennifer’s case, we might assume she is looking for a tote bag that has certain attributes such as size which allow it to perform certain functions (economic), a price she can afford (economic), compliments her look (psychological), and perhaps, creates recognition of her shopping savvy among her friends (psychological).  Not only does she put these elements in a certain order, each element is surrounded by a set of decision heuristics (rules of thumb she has developed for herself) that Jennifer uses to evaluate which bag maximizes her expectation of utility.

How Do Marketers Create Utility?

To convince the Jessica’s of the world that you have the perfect tote for her; marketers need to first learn what drives utility and then deliver on those elements. Here are some simple, but important next steps to accomplish that:

Deeply understand what drives the expectation of your products’ utility — These are the psychological and economic decision elements used by the buyer to define utility.

Define buyers by how they make purchase decisions — Group buyers into segments with similar decision elements. This will allow the marketers to be more effective and specific in their messaging and product offering because your customers’ specific needs will be addressed. Jessica’s decision type would have started with functionality, then price, style, size, and so on.  

Create specific communications and channels to address buyers’ psychological and economic needs — Show the potential functionality buyer that one path is easier and more efficient than any other.  This adds value to the search process, rather than just adding to the “work” required to find the “right” product.  Fulfilling specific decision requirements through specific and individualized communication channels is the key.  We have found in our studies that if you are able to only address and fulfill the primary driver in a buyer’s decision system, the likelihood of purchase is very high.  Just imagine the likelihood of purchase if you could address the second and third drivers, as well.

Do not forget, the path to purchase starts in the buyer’s head; marketers should start there to understand how to sell more effectively.

Thanks to Dr. Tim Gohmann, Behavioral Science Lab Chief Science Officer and Ron Mundy, Chief Operations Officer for contributions to this publication.

Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected



AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00