Executive Summary
Human judgment is often biased in predictably problematic ways. In the case of cybersecurity, some decision makers use the wrong mental models to help them determine how much investment is necessary. These mental models treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. Our research points to steps that security executives and other cybersecurity professionals can take to work around CEOs human biases and motivate decision makers to invest more in cyber infrastructure. Appeal to the emotions of financial decision makers. Replace your CEOs mental model with new success metrics. Survey your peers to help curb overconfidence. You are the weakest link. By turning the lens of behavioral science onto cybersecurity challenges, CISOs can identify new ways to approach old problems, and maybe improve their budgets at the same time.
Determining the ROI for any cybersecurity investment, from staff training to AI-enabled authentication managers, can best be described as an enigma shrouded in mystery. The digital threat landscape changes constantly, and its very difficult to know the probability of any given attack succeeding or how big the potential losses might be. Even the known costs, such as penalties for data breaches in highly regulated industries like health care, are a small piece of the ROI calculation. In the absence of good data, decision makers must use something less than perfect to weigh the options: their judgment.
But insights from behavioral economics and psychology show that human judgment is often biased in predictably problematic ways. In the case of cybersecurity, some decision makers use the wrong mental models to help them determine how much investment is necessary and where to invest. For example, they may think about cyber defense as a fortification process if you build strong firewalls, with well-manned turrets, youll be able to see the attacker from a mile away. Or they may assume that complying with a security framework like NIST or FISMA is sufficient security just check all the boxes and you can keep pesky attackers at bay. They may also fail to consider the counterfactual thinking We didnt have a breach this year, so we dont need to ramp up investment when in reality they probably either got lucky this year or are unaware that a bad actor is lurking in their system, waiting to strike.
The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. No matter how fortified a firm may be, hackers, much like water, will find the cracks in the wall. Thats why cybersecurity efforts have to focus on risk management, not risk mitigation. But this pessimistic outlook makes for a very tough sell. How can security executives get around the misguided thinking that leads to underinvestment, and secure the resources they need?
Over the past year, my behavioral science research and design firm, ideas42, has been interviewing experts across the cybersecurity space and conducting extensive research to identify human behavioral challenges at the levels of engineers, end users, IT administrators, and executives. Weve uncovered insights about why people put errors into code, fail to install software updates, and poorly manage access permissions. (We delve into these challenges in Deep Thought: A Cybersecurity Story, a research-based novella.) Our findings point to steps that security executives and other cybersecurity professionals can take to work around CEOs human biases and motivate decision makers to invest more in cyber infrastructure.
Appeal to the emotions of financial decision makers. The way that information is conveyed to us has a huge effect on how we receive and act on it. For cybersecurity professionals, its intuitive to describe cyber risk in terms of the integrity and availability of data, or with quantifiable metrics like packet loss, but these concepts arent likely to resonate with decision makers who think about risk very differently. Instead, cybersecurity professionals should take into account peoples tendency to overweight information that portrays consequences vividly and tugs at their emotions. To leveragethis affect bias, security professionals should explain cyber risk by using clear narratives that connect to risk areas that high-level decision makers are familiar with and already care deeply about. For example, your companys risk areas may include customer data loss as well as the regulatory costs and PR fallout that can affect the companys reputation. Its not just about data corruption its also about how the bad data will reduce operational efficiency and bring production lines to a standstill.
Replace your CEOs mental model with new success metrics. Everyone uses mental models to distill complexity into something manageable. Having the wrong mental model about what a cybersecurity program is supposed to do can be the difference between a thwarted attack and a significant breach. Some CEOs may think that security investments are for building an infrastructure, that creating a fortified castle is all thats needed to keep a company safe. With this mental picture, the goals of a financial decision maker will always be oriented toward risk mitigation instead of risk management.
To get around this, CISOs should work with boards and financial decision makers to reframe metrics for success in terms of the number of vulnerabilities that are found and fixed. No cybersecurity system will ever be impenetrable, so working to find the cracks will shift leaders focus from building the right system to building the right process. Counterintuitively, a firms security team uncovering more vulnerabilities should be considered a positive sign. All systems have bugs, and all humans can be hacked, so treating vulnerabilities as shortcomings will create an unintended incentive for an internal security team to hide them. Recognize that the stronger the security processes and team capabilities are, the more vulnerabilities theyll discover (and be able to fix).
Survey your peers to help curb overconfidence. Overconfidence is a pervasive bias, and it can be a big problem if it clouds leaders judgment about cybersecurity investment. Our research found that many C-level executives believe that their own investments in cybersecurity are sufficient but that few of their peers are investing enough (a belief that, given how widespread it is, cant possible be true). One way that CISOs can overcome a CEOs overconfidence is to compare the companys performance with a baseline from similar firms in other words, confront the problem head-on. You can accomplish this by regularly polling CISOs and executives about how well organizations in your industry are managing cybersecurity infrastructure, prompting them to be as specific as possible about what theyare doing well and what theyre not, and asking those same CISOs to help determine how well your own firm is doing. This way, CISOs can provide clearer information to CEOs about how they are actually performing relative to their industry peers.
You are the weakest link. In her essay Regarding the Pain of Others, Susan Sontag wrote, To photograph is to frame, and to frame is to exclude. Human attention functions quite similarly. People concentrate on certain aspects of information in their environment while ignoring others; what a CEO chooses to invest in can be thought of in a similar light. For instance, in the wake of a newsworthy hack, CEOs may push their teams to ramp up investment in cyber infrastructure to prot
ect against external threats. But in doing so they may be inattentive to unwitting internal threats that may be just as costly employees clicking on bad links, or falling for phishing attacks.
How can a CISO work around a decision makers inattention? No one likes to be embarrassed, but negative feedback can sometimes be an effective remedy for inattention. Security teams should regularly try to break their own systems through penetration testing, and the CEO should be the biggest target. After all, thats how outside hackers would see it. By making the CEO the victim of an internally initiated (and safe) attack, it might be possible to draw their attention to potential risks that already exist and motivate leaders to increase their investment in cyber infrastructure.
If the focus of cybersecurity programs continues to be on designing better technologies to combat the growing menace of cyberattacks, well continue to neglect the most important aspect of security the person in the middle. By turning the lens of behavioral science onto cybersecurity challenges, CISOs can identify new ways to approach old problems, and maybe improve their budgets at the same time.
Excerpt from:
The Behavioral Economics of Why Executives Underinvest in Cybersecurity - Harvard Business Review
- Dan Ariely: It’s OK to cheat and steal (sometimes) - April 7th, 2010 [April 7th, 2010]
- Full Sail Behavioral Science Leadership Podcast - August 27th, 2011 [August 27th, 2011]
- Full Sail Behavioral Science Passion - August 27th, 2011 [August 27th, 2011]
- 13H Refutes CCHR: Industry of Death (Behavioral Science) - August 28th, 2011 [August 28th, 2011]
- College of Social and Behavioral Science - August 28th, 2011 [August 28th, 2011]
- GB: Behavioral Science Bill For Propaganda - August 29th, 2011 [August 29th, 2011]
- Criminal Minds - The Behavioral Science Part 2 - August 31st, 2011 [August 31st, 2011]
- Santhula Hospital - A clinical and research center for Nuero-behavioral Science - August 31st, 2011 [August 31st, 2011]
- Behavioral Science Self-Assesment Project - September 2nd, 2011 [September 2nd, 2011]
- Behavioral Science: OPTIMAN - September 3rd, 2011 [September 3rd, 2011]
- Forget the Cinderella effect: stepparents are just as likely to kill their biological children as their stepchildren - September 4th, 2011 [September 4th, 2011]
- The Behavioural Science Blog in 2010 - September 4th, 2011 [September 4th, 2011]
- introduction to behavioral science - September 4th, 2011 [September 4th, 2011]
- CSU's Behavioral Sciences Building - September 5th, 2011 [September 5th, 2011]
- Criminal Minds Season 2 - Backstage - Behavioral Science Real-life Criminal Minds (1 of 2) - September 6th, 2011 [September 6th, 2011]
- Behavioral Science: Goldielocks - September 6th, 2011 [September 6th, 2011]
- Dean Welcome Message - CalSouthern School of Behavioral Sciences - September 7th, 2011 [September 7th, 2011]
- Criminal Minds - The Behavioral Science Part 1 - September 9th, 2011 [September 9th, 2011]
- TEDx Bandung-Roby Muhamad-Socio Behavioural Science - September 14th, 2011 [September 14th, 2011]
- How Behavioral Science Applies to Marketing - Jason Anello - September 14th, 2011 [September 14th, 2011]
- Public Health Behavioral Science - September 15th, 2011 [September 15th, 2011]
- Full Sail Behavioral Science Video - September 15th, 2011 [September 15th, 2011]
- Introduction to Behavioural Science - September 15th, 2011 [September 15th, 2011]
- University of Arizona College of Social and Behavioral Sciences Commencement Speech - September 17th, 2011 [September 17th, 2011]
- Introduction to Behavioral Sciences OSPE - September 17th, 2011 [September 17th, 2011]
- Get to know NAU's College of Social and Behavioral Sciences - September 20th, 2011 [September 20th, 2011]
- 3 Minute Thesis 2010 runner-up - Will Harrison, Faculty of Social - September 24th, 2011 [September 24th, 2011]
- New Behavioral Sciences Building at Colorado State University - September 27th, 2011 [September 27th, 2011]
- Intro to Psych Statistics - September 28th, 2011 [September 28th, 2011]
- Why Do Voles Fall in Love? - September 29th, 2011 [September 29th, 2011]
- Behavioral Science: What problems do you have in your life? - September 30th, 2011 [September 30th, 2011]
- Behavioral Solutions for Climate - October 3rd, 2011 [October 3rd, 2011]
- College of Social and Behavioral Sciences (SBS) 2010 Senior Celebration - October 4th, 2011 [October 4th, 2011]
- Enhance Student Teaching Podcast - Full Sail University Behavioral Science Class - October 4th, 2011 [October 4th, 2011]
- Music and the Brain: Depression and Creativity Symposium - October 4th, 2011 [October 4th, 2011]
- Experiment Test - October 4th, 2011 [October 4th, 2011]
- Helen Palmer and The Enneagram - October 4th, 2011 [October 4th, 2011]
- Rapid Learning: Behavioral Science And Patient Treatment - Behavioral Physiolgy - October 4th, 2011 [October 4th, 2011]
- Meet Nicole in the Colorado State University Behavioral Sciences Building - October 4th, 2011 [October 4th, 2011]
- Life As A Full Sail Student Ep. 5 (Behavioral Science) - October 5th, 2011 [October 5th, 2011]
- Happy holidays from your friends in the College of Business and Behavioral Science - October 5th, 2011 [October 5th, 2011]
- Behavioral Science Jumping Hurdles Full Sail University - October 5th, 2011 [October 5th, 2011]
- Dr. Meera Narasimhan on Mental Illnesses - Part 1 - October 5th, 2011 [October 5th, 2011]
- Science needs you: Test your word power on iPhone / iPad with Science XL free app - October 5th, 2011 [October 5th, 2011]
- Definition of Culture - October 5th, 2011 [October 5th, 2011]
- OSP Presentation: Bou's Clues (University of Santo Tomas, Behavioral Science) - October 6th, 2011 [October 6th, 2011]
- Behavioral Sciences OSPE Part 7: Informational Care - October 6th, 2011 [October 6th, 2011]
- Criminal Minds Season 2: Behavioral Science - October 7th, 2011 [October 7th, 2011]
- Behavioral Science - York College CUNY - October 7th, 2011 [October 7th, 2011]
- Miswakology Behavioral Sciences - October 7th, 2011 [October 7th, 2011]
- Criminal Minds Season 2 - Backstage - Behavioral Science Real-life Criminal Minds (2 of 2) - October 11th, 2011 [October 11th, 2011]
- Behavioral Science (A Lesson In Self Control) - October 12th, 2011 [October 12th, 2011]
- BEHAVIORAL SCIENCE LECTURE 1 - Video - October 13th, 2011 [October 13th, 2011]
- TEDxGoodenoughCollege - Jan-Emmanuel De Neve - The Genetics of Happiness - Video - October 13th, 2011 [October 13th, 2011]
- Using Denial to Cope with Grief and Depression - Winifred Gallagher - Video - October 13th, 2011 [October 13th, 2011]
- How To Survive Full Sail University - Video - October 14th, 2011 [October 14th, 2011]
- Life Positive Expo 2008 Appreciate Inquiry with Dr. Wasundhara Joshi and R Sankarasubramanyan - Video - October 14th, 2011 [October 14th, 2011]
- Dr. Meera Narasimhan on Mental Illnesses - Part 3 - Video - October 14th, 2011 [October 14th, 2011]
- Learning and Memory - Video - October 16th, 2011 [October 16th, 2011]
- Behavioral Science Proposal - Video - October 17th, 2011 [October 17th, 2011]
- 13H Refutes CCHR: IOD (Chapter 7) Psychosurgery (1/2) - Video - October 23rd, 2011 [October 23rd, 2011]
- 13H Refutes CCHR: IOD (Chapter 8) Psychiatric Drugs (1/2) - Video - October 23rd, 2011 [October 23rd, 2011]
- OUTDATED : Psychology and Behavioral Sciences Collection - Video - October 24th, 2011 [October 24th, 2011]
- CSUDH College of Natural and Behavioral Sciences - October 24th, 2011 [October 24th, 2011]
- Behavioral Science - October 24th, 2011 [October 24th, 2011]
- Behavioral science project. ( just one part of it) - Video - October 24th, 2011 [October 24th, 2011]
- Ramp Modeling for Dickies (UST- Behavioral Science Presentation) - Video - October 24th, 2011 [October 24th, 2011]
- Search in Psychology and Behavioral Sciences - PSCY 2301 - Video - October 25th, 2011 [October 25th, 2011]
- Forgiveness: Jesus vs Behavioral Science - Video - October 25th, 2011 [October 25th, 2011]
- PsyD Graduate Discusses her Learning Experience at CalSouthern School of Behavioral Sciences - Video - October 25th, 2011 [October 25th, 2011]
- Behavioral Science Statistics: One Sample and Dependent t-te - Video - October 26th, 2011 [October 26th, 2011]
- Full Sail University Behavioral Science Self-Awareness Exercise - Video - October 26th, 2011 [October 26th, 2011]
- FBI Behavioral Science Unit Interview - Part 2 - Video - October 26th, 2011 [October 26th, 2011]
- Full Sail BS Lab 2 Proposal - Video - October 27th, 2011 [October 27th, 2011]
- Full Sail University-Behavioral Science- Jumping Hurdles Project - Video - October 27th, 2011 [October 27th, 2011]
- Being Human - Behavioral Science Project - Video - October 27th, 2011 [October 27th, 2011]
- Behavioral Sciences OSPE Part 3: Compliance - Video - October 27th, 2011 [October 27th, 2011]
- Behavioral Science Film Fest feat. BSA1D '09 - Video - October 28th, 2011 [October 28th, 2011]
- Dan Pink Plenary Speaker Landsdowne Residency, March 2010 - Video - November 7th, 2011 [November 7th, 2011]
- Psychology and Behavioral Sciences Collection - Video - November 8th, 2011 [November 8th, 2011]