Manuel Hepfer and Thomas Powell from the University of Oxford shared
lessons from companies that faced ransomware attacks in the past few
years. These insights were published in a recent
article
in MIT Sloan Management Review. In my words, the paper calls for a shift
in how organizations see cybersecurity. I was surprised by two
aspects: first, most organizations still think cybersecurity is just
instrumental for business. Second, decision sciences can offer valuable
tools to improve the organizational approach to cybersecurity. In this
post, I try to describe ideas from the article in light of behavioral
insights.

Cybersecurity is not a lose-lose endeavor

It was surprising to find in the paper that executives see cybersecurity
as a lose-lose situation. “They felt that if their company was
attacked, they would lose reputation and profit; if their company was
not attacked, investments in cybersecurity would be wasted.” The
acceptance of this narrative might be rooted in several cognitive
biases. Salience is an essential piece here: what is in front of us
drives judgments and fosters behaviors. No breach or attack means money
is wasted (what if we just don’t know an attack is in place?).
Conversely, if an attack or breach is confirmed, people think of losses.
However, this is like saying that a construction company wastes money by
testing buildings’ seismic resistance. The lose-lose narrative implies a
moving reference point making losses appear in both situations. And
as “losses loom larger than
gains,”
organizations underinvest, thinking that they are avoiding losses.

We can use a different narrative, a different mental model to approach
cybersecurity. Threats in the digital realm and earthquakes are similar
because we don’t know when we would experience one. Organizations also
must be aware that, unlike earthquakes, a cyber incident or breach could
remain hidden for some time, amplifying risks and losses. Organizations
must prepare continuously for cyber threats, given their dynamics. That
way, businesses reduce their exposition to risks, and therefore, the
expected value of losses go down.

Something additional we can do is change the reference point. We can
achieve this by adopting full transparency in good and bad times. That
is, to make public and salient successful prevention and contention
actions to stakeholders and disclose breaches and incidents that cause
harm. Hepfer and Powell addressed this too: “Keeping cyberattacks
confidential also means that best practices for responding to them are
not shared and executives cannot learn from cyberattacks on other
companies” (p. 15).

We can also work with top management in considering counterfactuals, for
instance, by discussing questions like the following:

• How many vulnerabilities have been identified and fixed? What would
  have happened if those vulnerabilities remained open?

• How many incidents have been prevented or successfully contained
  with current cybersecurity efforts? Could we have had the same
  results without these efforts? How can we tell?

• What’s been the role of cybersecurity in deterring attacks or
  preventing errors threatening business at any level? Can we say
  confidently that no attacks and no errors would have been made in
  the absence of our cybersecurity efforts?

• Where do we have gaps in cybersecurity? What could happen if we
  don’t close the gaps in the following weeks?

A different narrative, shifting cognitive reference points, and thinking
about realistic counterfactuals can help in better positioning
cybersecurity operations.

Cybersecurity suffers from how it is framed

We know from psychology and marketing that the way options, messages,
and situations are presented (framed) influences how they are perceived
or judged. Here’s one catchy
example
shared by Richard Shotton: a grocery store in Stockholm wanted to sell
more organic bananas than the usual non-organic ones. To avoid
explaining the benefits of organic bananas, the grocer labeled both
types as “organic bananas” and “Bananas sprayed with pesticides.” Guess
what happened next.

The same applies to information security as a field, service, or
responsibility. Cybersecurity is typically framed only as an IT subject
or branch, and the mental representation that this creates is just
instrumental, like with not enough relevance. Hepfer and Powell wrote
the following: “[executives] told us that their biggest mistake in
the period before the NotPetya attack was to treat cybersecurity as an
operational issue.” This immediate link only with IT puts a barrier
between cybersecurity and strategic thought. The company’s ability to
stay in business is left in the background, as IT is salient. That comes
later when it is too late.

Another consequence of the usual framing is inertia, a well-known
behavioral tendency. As the authors state in the paper, “the cognitive
tendency is to carry on with the same strategic priorities, interpreting
the absence of a cyberattack as evidence that the company is on the
right track.” Furthermore, the tendency creates and preserves an
illusion of control when no incident is in place. What if there is a
breach that hasn’t been detected? “Cyberattacks are nonroutine and hard
to plan for, and many executives have not experienced a serious
cyberattack.” It appears executives follow the saying inertially, “if
it ain’t broke, don’t fix it.” Hepfer and Powell’s paper show how
dangerous this is.

Cybersecurity resembles an intertemporal choice

A final comment using a behavioral lens: cybersecurity, at its core, is
an intertemporal choice. Cybersecurity is about decisions we make today
and the future consequences of those decisions. If you save money today
and keep doing it, you’ll enjoy a good retirement. If you invest today
in cybersecurity and keep cybersecurity investments, your business will
be more likely to thrive. However, good cybersecurity is about adapting
to the changing landscape and making a business sustainable and
competitive by managing risks well today. In other words,
cybersecurity does have a present impact on business. The trouble is
that our cognition does not feel like this because we don’t see it.

In the paper, the researchers focused too on the intertemporal nature of
cybersecurity. “Having experienced an attack, executives at the
consumer products company recognized that cyberattacks can’t be
prevented but must be prepared for, while the board realized that an
attack’s impact is not limited to IT but rather affects the viability of
the whole business.” For these executives, it took an attack with
massive losses to think strategically about cybersecurity. The learning
loop was closed abruptly. As humans, we are present-biased, and we
engage in things that we can enjoy right away. In the absence of this
type of feedback from experience, we have trouble thinking long-term.

Cybersecurity is a must for business

Fluid Attacks provides services that contribute to the problems and
recommendations discussed in this post. On the one hand, we have
Continuous Hacking. This is like
the seismic resistance tests we referred to previously. Vulnerabilities
are identified, and customers can know the potential damage if they
remain open (an approximation to counterfactuals). Furthermore, with our
Attack Resistance Management platform, an organization can communicate to all
stakeholders what’s behind the scenes that could impact the business.
This equals adopting transparency, allowing learning for the future, and
timely signaling what needs to be done quickly.

We hope you have enjoyed this post. Let us know what you think and
reach us out if you want to know more about our
solutions.

Recent Articles By Author

• Alert! ‘Invisible’ Doors Opened
• Ciberseguridad como estrategia
• ‘No, We Won’t Get Hacked!’

More from Julian Arango

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Julian Arango. Read the original post at: https://fluidattacks.com/blog/cybersecurity-strategy/