I recently had lunch with the CEO of an information security firm and asked him about an impression I had from talking to firms about this area. "They don't seem worried enough," I suggested. He agreed and noted that part of the reason was the strategy being used to convince people of the need to invest in security. "We've been trying to scare them into action," he said, "and it isn't working."