Human judgment is frequently prejudiced. Decision-makers in cybersecurity often make biased judgments due to using incorrect mental models, viewing cybersecurity as a solvable problem rather than a continuous process. This leads to inadequate investment decisions. Utilizing the perspective of behavioral science in addressing cybersecurity issues can assist CISOs in finding innovative solutions to persistent problems and potentially enhance the accuracy of budgeting. Chances are your organization suffers from underinvestment. In many cases, even organizations that recognize they have a problem are unable or unwilling to invest in fixing the problem. Indeed, the 2022 Tech.co survey revealed that 83% of large businesses considered cyber risks an impediment to business growth, while only 43% included cybersecurity as one of their top 3 priorities.
Context: Why Executives Do Not Prioritize Cybersecurity
Data is widely considered as the most valuable resource in the digital realm, and in contemporary economics, it may even hold more value than gold. It is claimed that in 2021, the daily production of data reached 2.5 quintillion bytes. According to the European Commission (via the World Economic Forum), in 2020, the value of personalized data was 1 trillion euros, amounting to about 8% of the European Union's Gross Domestic Product (GDP). Cyber security is necessary not only to prevent data breaches but also to protect the modern world from digital warfare.
By stressing the importance of cybersecurity with such analogies, many executives understand the importance of investing in this space. While most executives realize that a data breach poses a significant threat to an enterprise, some are unsure of how to deal with a cybersecurity challenge since there is not much granular information available to the public about the losses previous hacks have caused the affected businesses.
Cybersecurity awareness has not fully reached the executive and board levels of many companies. Many remain stuck in "denial" or "worry" phases. Or, even worse, they may take on a position of false confidence. Many may not perceive cybersecurity as a value-add component to their business. Cybersecurity requires hard costs but yields soft benefits. It is challenging to demonstrate a cybersecurity-related return on investment (ROI). Considering those cybersecurity-related investments requires sound judgment in the absence of hard data. Determining the ROI for any cybersecurity investment is extremely difficult. The digital threat landscape changes constantly, and it's complicated to know the probability of an attack succeeding — or how big the potential losses might be. Even the known costs, such as penalties for data breaches in highly regulated industries like health care, are a small piece of the ROI calculation. Without good data, decision-makers must use something less than perfect for weighing their options: their judgment.
Ways to Overcome Underinvestment
The problem with mental shortcuts that we will discuss below is that they treat cybersecurity as a finite problem that can be solved rather than as the ongoing process that it is. No matter how fortified a firm may be, hackers, much like water, will find cracks in the wall. Executives may assume that complying with a security framework like NIST, HITRUST, or SOC2 is sufficient security, but just checking all the boxes will not keep attackers at bay. They may also think, "We didn't have a breach this year, so we don't need to ramp up investment," when they probably either just got lucky this year or are simply unaware of a hacker lurking in their system, waiting to strike. That's why cybersecurity efforts must focus on risk management, not risk mitigation. But this pessimistic outlook makes for a very tough sell. This research blog points to steps that security executives and other cybersecurity professionals can take to work around CEOs' human biases and motivate decision-makers to invest more in cybersecurity risk management.
According to Alex Blau in the Harvard Business Review, some of the steps cybersecurity professionals can take to work around CEOs' human biases and motivate them to invest more in cybersecurity are:
- Appeal to the emotions of financial decision-makers
- Educate the CEO to reframe the mental model with new success metrics
- Survey executives in the same industry to curb overconfidence
- Make improvements internally
1. Appeal to the emotions of financial decision-makers
Communication is vital to avoiding thought processes like 'Out of Sight, Out of Mind' or 'One-Way Thinking.' A study by Ponemon Institute said, "Communication roadblocks are barriers to reducing the risk of a cyber-attack." It further produced data from the survey that indicated:
- 31% of cybersecurity teams have never talked to executive management
- 48% of organizations did not provide cybersecurity education to their employees
- Only 6% educate their executive management about a new or emerging cyber threat
Out of Sight, Out of Mind
If there is nothing unusual with the IT department's way of functioning, executives assume all is well and stick with the standard security and privacy protocols. The problem here is that many C-suite executives view cybersecurity as a finite problem that, once addressed, can be shoved under the carpet forever to make way for other essential things.
A common phrase, "to each his own," is definitely applicable in the workplace. However, roles from marketing to accounting are interconnected. One wrong click by the marketing person and the entire account database could stand exposed to a cyberattack. This departmentalization, which is done to simplify work, often leads to people looking out for themselves and does away with the collective responsibility that the employees owe to their company.
To avoid these counterproductive thought processes, cybersecurity professionals must ensure that communication with the board and executive management is simplified and presented in the context of business. Communication has a massive effect on how we receive and act on it. For cybersecurity professionals, it's natural to describe cyber risk in terms of data availability, but these concepts do not resonate with decision-makers who think about risk differently. To portray the consequences vividly, security professionals should explain cyber risk by using clear narratives that connect to risk areas that are familiar and valuable to executives. It's not just about data corruption; it's also about how bad data will impact the business as a whole.2.
2. Educate the CEO to reframe the mental model with new success metrics
The goals of a financial decision-maker will always be oriented toward risk mitigation instead of risk management unless cybersecurity professionals intervene. A Gartner survey found that 88% of Boards of Directors view cybersecurity as a business risk instead of a technology risk. Recent research has found that 66% of CIOs intend to increase cybersecurity investments in the coming year. However, Gartner projections show that overall growth in cybersecurity spending will slow through 2023. "After years of heavy investment in security, Boards are now pushing back and asking what their dollars have achieved."
Gain Versus Minimizing Loss
The leaders of any enterprise are responsible for delivering profits on their investments. Therefore, they may avoid investment in ambiguous "cybersecurity," which focuses on risk management, a potential drain on resources. If something cannot be quantified and shown as profitable, what purpose does it serve, and is it worthy of investment? This trait is common across most humans, where the question "what is in it for me?" governs thinking and influences all investment decisions. Since many organizations base executive compensation on performance, they may be unwilling to invest in areas that will not enhance their team's compensation. This leads to 3 problems:
- How does an executive leader make sure they are investing enough in cybersecurity?
- How do executives know how much risk mitigation is necessary to protect the organization from cyber attacks?
- How do executives justify an investment in cybersecurity when the costs are hard, but it is difficult to demonstrate the resulting soft benefits?
To get around this, cyber security professionals should work with boards and financial decision-makers to reframe metrics for success in terms of the number of vulnerabilities that are found and fixed. Since no cybersecurity system is impenetrable, discovering more vulnerabilities should be considered a positive sign. Recognize that the stronger the security processes and team capabilities are, the more vulnerabilities they'll discover (and be able to fix).
3. Survey executives in the same industry to curb overconfidence
Overconfidence is a pervasive bias and can be a big problem if it clouds leaders' judgment about cybersecurity investment. This research found that many C-level executives believe that their own investments in cybersecurity are sufficient but do not compare to their peers. Chief Information Security Officers can help curb a CEO's overconfidence by comparing the company's performance with other firms in a similar industry. The survey process could be as simple as regularly polling CISOs and executives about how well or poorly organizations in your industry manage cybersecurity infrastructure and cross-referencing the findings with other companies. This way, CISOs can provide more precise information to CEOs about how they are performing relative to their industry peers.
To clearly perceive the relevance of cybersecurity, companies should not be looking at the number of cyberattacks that occurred but the number of attacks that were prevented. According to Kazi Kabir in the Forbes article, Applying Behavioral Economics to Investment in CyberSecurity, "Compared with the costs saved if these attacks had been successful, they can see the investment in cybersecurity as a preventative ROI that deters the cost flow to avoidable damages."
Before executives just say NO to additional investments, they may want to consider the following. Another advantage of cybersecurity investment is that data generated from various averted attacks on different organizations can be analyzed, and an easily accessible database of potential attackers can be constructed. This database can be shared across companies so that collective vulnerability (the risk of being attacked) decreases each year.
4. Make improvements internally
According to Randy Rose, director of cybersecurity at Tasman Global, these are the reasons why improvements need to be made internally:
- Key leaders are not educated in the basics of cybersecurity within their organizations.
- Data supporting critical decision-making is too technical and does not connect the issues to operational impact.
- There is a lack of comprehension of what is important (i.e., if everything is a priority, nothing is a priority).
- There is a lack of clarity on how technical data ties to actual risk.
- Key leaders overestimate their security posture.
- Cybersecurity is seen as the IT Department's problem (i.e., the CISO works for the CIO rather than at the same level as the CIO).
- There is a lack of understanding of cyber threats and their impact.
- Cybersecurity is not recognized as a continuous process.
- Executive leadership has difficulty justifying the provision of funds for such an intangible phenomenon.
- Cybersecurity is viewed as a technology problem when, in reality, it is much more.
People concentrate on certain aspects of information in their environment while ignoring others; what a CEO chooses to invest in can be thought of in a similar light. For instance, in the wake of a newsworthy hack, CEOs may push their teams to ramp up investment in cyberinfrastructure to protect against external threats. But in doing so, they may be inattentive to internal threats.
Short-Term Preference Over Long-Term Thinking
Most companies comply with defined security standards put in place by a governing body and assume that such compliance is enough. Executives like to invest in plans that show ROI in the short term; however, cybersecurity is a long journey in which constant investment is required to keep the business running without the guarantee of any profit in the long run.
Security teams should regularly try to break their own systems through penetration testing, and the CEO should be the biggest target. After all, that's how outside hackers would see it. By making the CEO the victim of an internally initiated (and safe) attack, it might be possible to draw their attention to potential risks and motivate leaders to increase their investment in cyberinfrastructure.
Business cybersecurity risks represent a problem for individual organizations as well as a concern for our national and global economies. According to a recent study by Lloyds of London, a major, global cyberattack could cause $53 billion in economic losses comparable to catastrophic natural disasters such as Superstorm Sandy in 2012. Many believe that cybersecurity is solely a "technology" problem. What they don't understand is that this "technology" problem now affects not only national security and established businesses but also regular people. By turning the lens of behavioral science onto cybersecurity challenges, cybersecurity professionals can identify new ways to approach old problems and maybe improve their budgets at the same time to further invest in risk mitigation.