Decision-makers at enterprises see cyber-security as a finite problem that can be solved and not as an ongoing issue which needs to be managed better, a study conducted by research firm ideas42 reveals.
Researchers noted that decision-makers often deploy their biased judgments to determine how much investment is required on cyber-security.
In a recent blog post published by Harvard Business Review, Alex Blau, Vice President at research firm ideas42 which analyses the impact of human behaviour on challenges faced by the society, notes that decision-makers at organisations, more often than not, use their personal judgment to find ways to tackle challenges posed by cyber-criminals.
By doing so, decision-makers, including Board members, often tend to ignore empirical evidence on existing cyber-security challenges and also question investments on cyber-security based on past experiences or by playing down potential threats.
"They may also fail to consider the counterfactual thinking — We didn’t have a breach this year, so we don’t need to ramp up investment — when in reality they probably either got lucky this year or are unaware that a bad actor is lurking in their system, waiting to strike," Blau wrote in his blog post.
"The problem with these mental models is that they treat cyber security as a finite problem that can be solved, rather than as the ongoing process that it is. No matter how fortified a firm may be, hackers, much like water, will find the cracks in the wall," he added.
In order to ensure that an organisation's cyber-security infrastructure receives adequate investment and focus, Blau states that cyber-security officials must present problems to a decision-maker in a way that appeals to the latter's' emotions and line of thinking. For example, by stressing the fact that a future cyber-attack may result in customer data loss, high regulatory costs as well as loss of reputation, cyber-security officials will ensure that decision-makers will care deeply about such situations and pour investments accordingly.
At the same time, cyber-security officials must regularly test an organisation's firewalls and other systems to uncover vulnerabilities on a regular basis. Discovering more vulnerabilities and fixing them ensures that such vulnerabilities are protected from outside hackers, and decision-makers must incentivise cyber-security teams for uncovering potential risks, instead of viewing them as shortcomings, Blau adds.
Cyber-security officials must make a company's decision-makers see comparative charts on how much they are investing on cyber-security compared to their rival firms. They should regularly poll CISOs and executives to find out best practices implemented by other firms and compare them with their own internal guidelines. By presenting such information to decision-makers in perfect clarity, officials may succeed in convincing decision-makers to modify existing cyber-security practices.
‘IT consumerisation is forcing cybersecurity to be more collaborative’
Blau added that another way to make decision-makers turn their focus on cyber-security is to make them treat all challenges equally rather than selectively. "For instance, in the wake of a newsworthy hack, CEOs may push their teams to ramp up investment in cyberinfrastructure to protect against external threats. But in doing so they may be inattentive to unwitting internal threats that may be just as costly — employees clicking on bad links, or falling for phishing attacks."
Internal cyber-security teams at organisations should also make the top bosses the biggest targets while conduction mock cyber-attacks or phishing attacks to root out vulnerabilities. If the CEO becomes a victim of such an attack, his/her attention may naturally shift to potential risks that already exist and convince him/her to increase investment in cyberinfrastructure.