Human judgment is often biased in predictably problematic ways. In the case of cybersecurity, some decision makers use the wrong mental models to help them determine how much investment is necessary. These mental models treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. Our research points to steps that security executives and other cybersecurity professionals can take to work around CEOs human biases and motivate decision makers to invest more in cyber infrastructure. Appeal to the emotions of financial decision makers. Replace your CEOs mental model with new success metrics. Survey your peers to help curb overconfidence. You are the weakest link. By turning the lens of behavioral science onto cybersecurity challenges, CISOs can identify new ways to approach old problems, and maybe improve their budgets at the same time.
Determining the ROI for any cybersecurity investment, from staff training to AI-enabled authentication managers, can best be described as an enigma shrouded in mystery. The digital threat landscape changes constantly, and its very difficult to know the probability of any given attack succeeding or how big the potential losses might be. Even the known costs, such as penalties for data breaches in highly regulated industries like health care, are a small piece of the ROI calculation. In the absence of good data, decision makers must use something less than perfect to weigh the options: their judgment.
But insights from behavioral economics and psychology show that human judgment is often biased in predictably problematic ways. In the case of cybersecurity, some decision makers use the wrong mental models to help them determine how much investment is necessary and where to invest. For example, they may think about cyber defense as a fortification process if you build strong firewalls, with well-manned turrets, youll be able to see the attacker from a mile away. Or they may assume that complying with a security framework like NIST or FISMA is sufficient security just check all the boxes and you can keep pesky attackers at bay. They may also fail to consider the counterfactual thinking We didnt have a breach this year, so we dont need to ramp up investment when in reality they probably either got lucky this year or are unaware that a bad actor is lurking in their system, waiting to strike.
The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. No matter how fortified a firm may be, hackers, much like water, will find the cracks in the wall. Thats why cybersecurity efforts have to focus on risk management, not risk mitigation. But this pessimistic outlook makes for a very tough sell. How can security executives get around the misguided thinking that leads to underinvestment, and secure the resources they need?
Over the past year, my behavioral science research and design firm, ideas42, has been interviewing experts across the cybersecurity space and conducting extensive research to identify human behavioral challenges at the levels of engineers, end users, IT administrators, and executives. Weve uncovered insights about why people put errors into code, fail to install software updates, and poorly manage access permissions. (We delve into these challenges in Deep Thought: A Cybersecurity Story, a research-based novella.) Our findings point to steps that security executives and other cybersecurity professionals can take to work around CEOs human biases and motivate decision makers to invest more in cyber infrastructure.
Appeal to the emotions of financial decision makers. The way that information is conveyed to us has a huge effect on how we receive and act on it. For cybersecurity professionals, its intuitive to describe cyber risk in terms of the integrity and availability of data, or with quantifiable metrics like packet loss, but these concepts arent likely to resonate with decision makers who think about risk very differently. Instead, cybersecurity professionals should take into account peoples tendency to overweight information that portrays consequences vividly and tugs at their emotions. To leveragethis affect bias, security professionals should explain cyber risk by using clear narratives that connect to risk areas that high-level decision makers are familiar with and already care deeply about. For example, your companys risk areas may include customer data loss as well as the regulatory costs and PR fallout that can affect the companys reputation. Its not just about data corruption its also about how the bad data will reduce operational efficiency and bring production lines to a standstill.
Replace your CEOs mental model with new success metrics. Everyone uses mental models to distill complexity into something manageable. Having the wrong mental model about what a cybersecurity program is supposed to do can be the difference between a thwarted attack and a significant breach. Some CEOs may think that security investments are for building an infrastructure, that creating a fortified castle is all thats needed to keep a company safe. With this mental picture, the goals of a financial decision maker will always be oriented toward risk mitigation instead of risk management.
To get around this, CISOs should work with boards and financial decision makers to reframe metrics for success in terms of the number of vulnerabilities that are found and fixed. No cybersecurity system will ever be impenetrable, so working to find the cracks will shift leaders focus from building the right system to building the right process. Counterintuitively, a firms security team uncovering more vulnerabilities should be considered a positive sign. All systems have bugs, and all humans can be hacked, so treating vulnerabilities as shortcomings will create an unintended incentive for an internal security team to hide them. Recognize that the stronger the security processes and team capabilities are, the more vulnerabilities theyll discover (and be able to fix).
Survey your peers to help curb overconfidence. Overconfidence is a pervasive bias, and it can be a big problem if it clouds leaders judgment about cybersecurity investment. Our research found that many C-level executives believe that their own investments in cybersecurity are sufficient but that few of their peers are investing enough (a belief that, given how widespread it is, cant possible be true). One way that CISOs can overcome a CEOs overconfidence is to compare the companys performance with a baseline from similar firms in other words, confront the problem head-on. You can accomplish this by regularly polling CISOs and executives about how well organizations in your industry are managing cybersecurity infrastructure, prompting them to be as specific as possible about what theyare doing well and what theyre not, and asking those same CISOs to help determine how well your own firm is doing. This way, CISOs can provide clearer information to CEOs about how they are actually performing relative to their industry peers.
You are the weakest link. In her essay Regarding the Pain of Others, Susan Sontag wrote, To photograph is to frame, and to frame is to exclude. Human attention functions quite similarly. People concentrate on certain aspects of information in their environment while ignoring others; what a CEO chooses to invest in can be thought of in a similar light. For instance, in the wake of a newsworthy hack, CEOs may push their teams to ramp up investment in cyber infrastructure to prot
ect against external threats. But in doing so they may be inattentive to unwitting internal threats that may be just as costly employees clicking on bad links, or falling for phishing attacks.
How can a CISO work around a decision makers inattention? No one likes to be embarrassed, but negative feedback can sometimes be an effective remedy for inattention. Security teams should regularly try to break their own systems through penetration testing, and the CEO should be the biggest target. After all, thats how outside hackers would see it. By making the CEO the victim of an internally initiated (and safe) attack, it might be possible to draw their attention to potential risks that already exist and motivate leaders to increase their investment in cyber infrastructure.
If the focus of cybersecurity programs continues to be on designing better technologies to combat the growing menace of cyberattacks, well continue to neglect the most important aspect of security the person in the middle. By turning the lens of behavioral science onto cybersecurity challenges, CISOs can identify new ways to approach old problems, and maybe improve their budgets at the same time.
- Seniors enter final year of school at UMFK - WAGM - September 8th, 2017
- Virtual Reality Can Make a Remote Crisis Real and Spur Effective Responses - University of Virginia - September 8th, 2017
- International research powerhouses join forces to advance study of life on Earth - Washington University in St. Louis Newsroom - September 6th, 2017
- Taking Advantage Of Behavioral Economics Can Get Aid To More ... - Fast Company - September 6th, 2017
- SRU completes busy summer of campus improvements - Allied News - September 4th, 2017
- Mayor Jim Kenney wants to clean up 'Filthadelphia' and he's enlisting Penn's help - The Daily Pennsylvanian - September 4th, 2017
- Meditation expert tells us what the science really says and why multitasking is a 'myth' - Southernminn.com - September 3rd, 2017
- Losing weight for the couch potato and others - The Washington Post - Washington Post - September 3rd, 2017
- Self-driving cars still can't mimic the most natural human behavior - Quartz - September 3rd, 2017
- Brain researchers in uproar over NIH clinical trials policy - Nature.com - September 3rd, 2017
- Mnoa volcanologists receive top international awards - UH System Current News - August 30th, 2017
- Developing technology with advisors at heart - Financial Planning - August 30th, 2017
- Text Messaging Initiative Will Nudge STEM Students Toward Success - Campus Technology - August 30th, 2017
- Sales Incentives and Machine Learning: Intelligently Motivate Revenue-Driving Behaviors - Customer Think - August 30th, 2017
- Basic studies of how our brains work are now clinical trials, NIH says - Science Magazine - August 27th, 2017
- How Overcoming Demands on Attention Can Help Alleviate Poverty - Newswise (press release) - August 24th, 2017
- Diverse programming and experiential learning top of mind for SEHHB Interim Dean Paul Rose - RiverBender.com - August 23rd, 2017
- Sylvia Sims Bolton appointed new Waukegan 1st Ward alderman - Chicago Tribune - August 23rd, 2017
- Science and Society on the Vineyard - Martha's Vineyard Times - August 23rd, 2017
- Scientists give star treatment to lesser-known cells crucial for brain development - Seacoastonline.com - August 20th, 2017
- Leveraging The Power of Behavioral Science in Banking - The Financial Brand - August 18th, 2017
- City Officials Turn To Behavioral Science To Improve Government Services - CBS Philly - August 18th, 2017
- Veteran's Disability Payments Compromised in Cyber Attack - NBC Chicago - August 11th, 2017
- MVC selects ISU's Goy for Hall of Fame - Bloomington Pantagraph - August 11th, 2017
- Suicide Rate Hit 40-Year Peak Among Older Teen Girls In 2015 - LEX18 Lexington KY News - August 6th, 2017
- The Case for Giving Health-Care Consumers a 'Nudge' - Wall Street Journal (subscription) - June 26th, 2017
- CPS draws on psychology to motivate customers to cut energy use in new program - mySanAntonio.com - June 12th, 2017
- Want To Employ Behavioral Science For Good? Here's A Helpful Collection Of Ideas - Fast Company - June 11th, 2017
- Ecologists protest sudden end of NSF dissertation grants - Science Magazine - June 9th, 2017
- Behavioral 'Nudges' Offer a Cost-Effective Policy Tool - Harvard Business School - June 9th, 2017
- New report: Social, behavioral, and economic sciences contribute to advancing NSF mission - Phys.Org - June 9th, 2017
- Top Schools for Behavioral Science - Study.com - June 8th, 2017
- Maritz Improves Business Performance with Innovative Behavioral Science - EQ - Entrepreneur Quarterly (press release) (subscription) (blog) - June 8th, 2017
- UL Lafayette to offer online General Studies degree program - KATC.com | Continuous News Coverage | Acadiana ... - KATC Lafayette News - June 8th, 2017
- Scientists use wearables to track patient data - Medical Xpress - June 8th, 2017
- Stanford Research on Sex Differences Reveals a Leftist Rejection of ... - Breitbart News - June 6th, 2017
- The New Way To Prevent Anxiety in Kids - TIME - June 6th, 2017
- Chapman University's Physical Therapy Program receives 10-year Accreditation - Chapman University: Happenings (blog) - June 6th, 2017
- Cops speak less respectfully to black community members - Stanford University News - June 6th, 2017
- What millennials really want in the workplace - CBS News - June 5th, 2017
- A Periodic Table of Behavior for Psychology - Psychology Today (blog) - June 4th, 2017
- LOOSE ENDS: Eldar Shafir on the effects scarcity - centraljersey.com - June 4th, 2017
- People trust science. So why don't they believe it? - WXIA-TV - June 4th, 2017
- Behavioral science hacks for your next speaking opportunity - SmartBrief (registration) (blog) - June 3rd, 2017
- SHOP TALK: Eldar Shafir on the effects scarcity - centraljersey.com - June 3rd, 2017
- People trust science. So why don't they believe it? - KING5.com - June 3rd, 2017
- Why Mainstream Media Need to Be Careful About Criticizing Conservatives - Patheos (blog) - June 3rd, 2017
- People trust science. So why don't they believe it? - WGRZ-TV - June 2nd, 2017
- UB program for underrepresented minority students in biomedical PhD programs wins coveted renewal - UB News Center - June 2nd, 2017
- Why Mainstream Media Need to Be Careful About Criticizing Conservatives - HuffPost - June 2nd, 2017
- Turn college debt into an investment - Green Bay Press Gazette - June 1st, 2017
- Are Behavioral Science, Customer Centricity And Customer Experience Compatible? - Forbes - June 1st, 2017
- To Counter Opioid Crisis, NIH Pushes Researchers to Invent More Drugs - The Chronicle of Higher Education (subscription) - June 1st, 2017
- Eco-Pass fee increase fight ramps up - La Voz Weekly - June 1st, 2017
- Scientists Want a Vaccine to Protect Readers From Fake News - Sputnik International - June 1st, 2017
- Behavioral neuroscience - Wikipedia - May 31st, 2017
- Wright State spinoff closes on $680K in funding - Dayton Business Journal - May 31st, 2017
- How To Navigate Your Child's Adolescence46:37 - WBUR - May 30th, 2017
- FRC Class of 2017 - Plumas County Newspapers - May 28th, 2017
- Can a Fidget Spinner Really Help You Focus? - Big Think - May 28th, 2017
- How Can Facts Trump Ideology? - Patheos (blog) - May 28th, 2017
- Nearly 1600 Santa Rosa Junior College students receive diplomas in class of 2017 - Santa Rosa Press Democrat - May 28th, 2017
- How Laws of Physics Govern Growth in Business and in Cities - New York Times - May 26th, 2017
- Lodi senior earns 9 associate degrees, picks UC Davis over 11 others - Sacramento Bee - May 26th, 2017
- Duke Hosts Precision Medicine World Conference - Duke Today (blog) - May 25th, 2017
- American Association of Behavioral and Social Sciences - May 25th, 2017
- Cognitive Behavioral Therapy| Psychiatry Conference ... - May 25th, 2017
- The president's budget proposal threatens science - The Hill (blog) - May 25th, 2017
- Celebrating Nearly 11,500 Graduates at CSUN Commencement ... - CSUN Today - May 25th, 2017
- Comments Off on Celebrating Nearly 11500 Graduates at CSUN Commencement 2017 - CSUN Today - May 24th, 2017
- Some Social Scientists Are Tired of Asking for Permission - New York Times - May 23rd, 2017
- Policymakers around the world are embracing behavioural science - The Economist - May 22nd, 2017
- Western Wayne students participate in PJAS competition - News ... - Scranton Times-Tribune - May 22nd, 2017
- What behavioral finance can teach us about markets and ourselves - InvestmentNews - May 22nd, 2017
- Behavioral Science - Psychology | Behavioral Science | Home - May 21st, 2017
- Sometimes, Facts Can Actually Trump Ideology - Scientific American (blog) - May 20th, 2017
- UVU's largest college appoints a new dean - Daily Herald - May 20th, 2017
- The effect of Moore's Law on behavioral marketing - MarTech Today - May 20th, 2017
- Charles Murray is once again peddling junk science about race and IQ - Vox - May 18th, 2017
- Fidget Toys Aren't Just Hype - Scientific American - May 18th, 2017