7/04/2018

Cybersecurity best left in the hands of ... inexperienced

Fresh from the MIT press and it is sobering. Cost/benefit calculation.

Decision-Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

Conclusions

Using our simulation game tool, we have focused on understanding how managers make proactive investment decisions for building cybersecurity capabilities. In general, there are two properties that contribute to the difficulty of making informed, proactive decisions: 
  • The trade-off between allocating resources to profitable activities versus investing in cybersecurity capabilities, with the perceived payoff for the latter being affected by the ‘delay’ between their development and reaching full functionality. 
  • The uncertainty surrounding the occurrence of cyber events, as shown in the differences in results from the two levels of the simulation game.
Our experiment results present that neither experienced nor inexperienced players showed performance differences in the game. This suggests deeply entrenched decision-making heuristics, reinforced over years of experience, and is supported directionally by our analysis of learning curves in the experienced group. 

Inexperience drives dynamism. Good to know.

Experienced players who performed well in level one did not perform well in level two, and vice versa, suggesting that their strategies did not adapt to the environment in which they found themselves. Inexperienced players, on the other hand, showed much more dynamism in adapting to repeated runs and the changing environment between levels one and two (see Figure 10). 

This does not mean you can hire Joe Sixpack and be fine. Management experience is of limited help.

This is not to say that we do not recommend hiring experienced managers, but we conclude that management experience alone does not help when making decisions related to cybersecurity. Our results showed significantly positive learning effects on proactive decision-making among experienced managers. Therefore, training for better understanding of the complexities of cybersecurity is essential for experienced managers to improve their decision-making, and management flight simulators proved to be effective training tools.

Mind challenging games important.

Overall, our findings highlight the importance of correctly training decision-makers about cybersecurity capability development. We hope that our findings motivate the cybersecurity community to design and adopt enhanced educational and training programs that challenge entrenched mindsets and encourage proactive cybersecurity capability development. We note that the main mechanisms of our game are based on general capability development dynamics not limited to cybersecurity. 

Present situation leaves a lot to be desired.

The insight from this study of the importance of proactive decisionmaking can be applied in other settings as well, but it remains that the organizational aspect of cybersecurity, and particularly, decision-making for the development of cybersecurity capabilities, has not received adequate attention.

Keine Kommentare:

Kommentar veröffentlichen

Hinweis: Nur ein Mitglied dieses Blogs kann Kommentare posten.