Sensationalism: The Real Open-Source Security RiskSensationalism: The Real Open-Source Security Risk

A recent Forrester study attempts to tell us something useful about Open Source. What it actually does is point out the absurdity of selling self-fulfilling prophesies dressed up as useful research.Actually, I'm referring here to a pair of Forrester Research studies. Both focus on the state of the business software market in 2009, but one deals with the enterprise market and the other with the SMB space. Both appeared at the same time, and most media coverage lumps them together.

That's fine, because both studies illustrate a typical market-research ploy: Sell a study with a vague, sensationalist summary, and then charge companies big bucks to view the details.

Here is how a recent InfoWorld.com article described one of the more controversial points the Forrester studies raise: Businesses in North America and Europe remain broadly worried about the security of open source software, according to new data from Forrester Research. Fifty-eight percent of the large companies surveyed said they had security concerns about open source, while the figure for small and midsized businesses was slightly higher, at about two-thirds. Within those groups, only 9 percent of enterprises said they were "very concerned," compared with 45 percent for the SMBs. I won't take InfoWorld to task for how it spins the story; this is news coverage, not an opinion piece. And it's a fair description of how Forrester wants to position its research. (I can't say the same thing about a subsequent InfoWorld blog post that accepts Forrester's conclusions without questioning them.)

This taste leaves most readers hungry for details. How does Forrester define "open source?" Are we talking about desktop applications, server software, or both? Where does Forrester draw the line between enterprises and SMBs -- and how does that distinction blur the inevitable differences between how midsize and small businesses view these issues?

One also wonders how many of the firms surveyed are "very concerned" about security issues with proprietary software. After all, anyone who isn't probably needs to spend more time above ground.

If you want answers to those questions, the full text of the Forrester reports might answer them. Or maybe they won't. Either way, it will cost you to find out.

Such studies raise questions regarding their underlying research methodologies. And in the past, some firms -- including Forrester subsidiary Giga Research -- have drawn fire over alleged conflicts of interest involving third-party IT vendors that commission supposedly independent research.

Bear in mind here that Forrester, like every business, must market its products effectively. In this case, however, marketing involves isolating a hot-button issue, phrasing it in suitably provocative language, and then pushing its findings out through the IT press.

Am I falling for the trick simply by publishing this blog post? Guilty as charged, I suppose. But there is no other way to discuss this process -- and it demands a critical examination.

The fact is, the memes Forrester spreads via these methods will spread, mutate, and take on lives of their own.

Proprietary software vendors will tout the research as proof that open-source software is rife with security issues. Bloggers will repeat Forrester's public-consumption findings without questioning them. Companies will hear them and internalize them, often without even knowing how such research can shape -- and distort -- their IT assumptions.

I'm not selling either open-source or proprietary software here. I'm selling critical thinking and common sense. It's a tougher road to travel, but small-business owners will find that it beats planning their IT purchases based on market researchers' self-fulfilling -- and self-serving -- prophesies.