When Less Is More: The Argument Dilution Effect
CISOs facing skeptical boards can learn from this landmark example of the "argument dilution effect," where adding weaker points to strong ones doesn't strengthen your case — it fundamentally weakens it.
Psychology Behind Effective CISO Board Communications
In 1969, Fred Rogers successfully convinced Congress to fund public broadcasting with a focused, emotional appeal despite previous presenters using overwhelming data. This was when the Corporation for Public Broadcasting (CPB) was on the chopping block as President Richard Nixon wanted to slash its proposed budget. Fred Rogers testified before Senator John Pastore's Congressional Committee to advocate for the $20 million funding for public broadcasting. His testimony stood out because instead of presenting numerous data points like previous speakers had done, he focused on a single, emotionally powerful argument about what his program meant to children, even reciting the words to a song from his show about self-esteem and emotional regulation.
When the Hidden Brain podcast interviewed Niro Sivanathan, a professor of Organizational Behavior at the London Business School, they discussed the "argument dilution effect"— a phenomenon that weakens the persuasion of strong arguments when they’re mixed with weaker ones because our brains average rather than add information quality. Essentially, you can undermine your case by adding too many points.
Think of it this way: When trying to convince someone of something, your brain naturally wants to give every possible reason why you're right. But the listener's brain doesn't add up all those points—it averages them.
If you have two strong reasons (let's say they're 9/10 in strength) and add two mediocre reasons (6/10 in strength), your overall argument doesn't become stronger. Instead of adding up to 30 points (9+9+6+6), the listener's brain averages them to 7.5/10. You would have been better off sticking with your two 9/10 arguments, which would average to 9/10.
This happens because:
- Our brains take mental shortcuts when processing information
- We tend to balance or average information rather than carefully weighing each point
- When weak points are mixed with strong ones, they drag down the perceived strength of the entire argument
Effective communicators focus on their one or two strongest points rather than overwhelming their audience with every possible argument. While the recommendations below apply to anyone trying to persuade someone else to agree with their viewpoints, I often discuss these principles with CISOs when we need to convince their board of directors to trust, support, and fund their priorities.
Focus on your strongest arguments.
CISOs often make the mistake of presenting a comprehensive list of security concerns, mixing critical vulnerabilities with minor issues. Instead, concentrate on the highest-impact security threats and vulnerabilities, as adding weaker security concerns will dilute the perceived severity of the major threats through the averaging effect.
To illustrate the difference, here’s a hypothetical example of a CISO communicating to the board about resources needed to mitigate critical vulnerabilities:
Approach #1: "Our security assessment found 27 vulnerabilities including three critical remote code execution flaws, eight medium-severity authentication issues, 12 low-risk cookie handling problems, and four minor SSL configuration warnings. We need $500,000 to address these issues."
Approach #2: "Our security assessment identified three critical vulnerabilities that could allow attackers to execute malicious code on our customer data servers. These flaws would let attackers bypass all existing controls and potentially access millions of customer records. We need $500,000 to address these specific high-impact issues."
The difference: By focusing solely on the most severe vulnerabilities in approach #2, the CISO makes the threat concrete and avoids diluting the seriousness with minor issues that the board might average together.
Use appropriate emphasis for different severity levels.
When presenting security findings to business leaders, CISOs can be more effective by visually distinguishing between critical and minor issues (similar to Niro's experiment with red vs. black text from the Hidden Brain interview). This helps stakeholders properly weigh information while maintaining comprehensive reporting, making it more likely that resources will be allocated to address the most serious security concerns.
Here’s another hypothetical scenario:
Approach #1: "Here's our quarterly security report with all 46 findings chronologically. Our team has been working through them as resources permit."
Approach #2: "Here's our quarterly security report. The three findings highlighted in red represent critical business risks that require immediate attention and board approval. The others are being managed through our normal operations. I'd like to focus our limited time today on these three critical items."
The difference: By visually distinguishing the severity tiers and explicitly directing attention to the most critical issues, the CISO helps the board properly weight the information rather than averaging everything together.
Balance security information without creating anxiety.
CISOs must provide enough security information to drive action without triggering a harmful "security news consumption" pattern that creates anxiety without productive outcomes. Focus on actionable intelligence rather than overwhelming stakeholders with every threat, helping business leaders make informed decisions without constant security fear.
Approach #1: "Here's a daily security briefing with all threat intelligence we've gathered. There are 17 new threat actor groups targeting our industry, 34 new malware variants detected globally, and nine zero-day vulnerabilities announced yesterday. Our team is monitoring all of these developments."
Approach #2: "Based on our threat intelligence, we've identified two specific attack methods being used against companies like ours. Here's our concrete plan to address these threats and what success will look like. We'll continue monitoring other developments but are focusing our resources on these verified high-probability threats."
The difference: The more effective approach #2 filters the flood of security information down to actionable intelligence tied to specific outcomes.
When Less Is More in Security Communication
Remember, how we communicate can be just as important as what we’re saying. The argument dilution effect teaches us a powerful lesson: When it comes to persuasion, less truly is more. Security leaders can dramatically increase their influence by focusing on their strongest security points rather than overwhelming audiences with comprehensive lists, visually distinguishing between severity levels, and providing actionable intelligence rather than constant threat updates.
The most successful CISOs aren't necessarily those with the most technical knowledge but those who understand the psychology of communication. Mastering these communication principles is essential for organizations in a field where gaining buy-in for critical security initiatives can mean the difference between a manageable and catastrophic incident. After all, the most important security vulnerability isn't in your systems—it might be in how you talk about them.