By Julian Arango | October 21, 2020
Manuel Hepfer and Thomas Powell from the University of Oxford shared lessons from companies that faced ransomware attacks in the past few years. These insights were published in a recent article in MIT Sloan Management Review. In my words, the paper calls for a shift in how organizations see cybersecurity. I was surprised by two aspects: first, most organizations still think cybersecurity is just instrumental for business. Second, decision sciences can offer valuable tools to improve the organizational approach to cybersecurity. In this post, I try to describe ideas from the article in light of behavioral insights.
It was surprising to find in the paper that executives see cybersecurity as a lose-lose situation. “They felt that if their company was attacked, they would lose reputation and profit; if their company was not attacked, investments in cybersecurity would be wasted.” The acceptance of this narrative might be rooted in several cognitive biases. Salience is an essential piece here: what is in front of us drives judgments and fosters behaviors. No breach or attack means money is wasted (what if we just don’t know an attack is in place?). Conversely, if an attack or breach is confirmed, people think of losses. However, this is like saying that a construction company wastes money by testing buildings' seismic resistance. The lose-lose narrative implies a moving reference point making losses appear in both situations. And as “losses loom larger than gains,” organizations underinvest, thinking that they are avoiding losses.
We can use a different narrative, a different mental model to approach cybersecurity. Threats in the digital realm and earthquakes are similar because we don’t know when we would experience one. Organizations also must be aware that, unlike earthquakes, a cyber incident or breach could remain hidden for some time, amplifying risks and losses. Organizations must prepare continuously for cyber threats, given their dynamics. That way, businesses reduce their exposition to risks, and therefore, the expected value of losses go down.
Something additional we can do is change the reference point. We can achieve this by adopting full transparency in good and bad times. That is, to make public and salient successful prevention and contention actions to stakeholders and disclose breaches and incidents that cause harm. Hepfer and Powell addressed this too: “Keeping cyberattacks confidential also means that best practices for responding to them are not shared and executives cannot learn from cyberattacks on other companies” (p. 15).
We can also work with top management in considering counterfactuals, for instance, by discussing questions like the following:
How many vulnerabilities have been identified and fixed? What would have happened if those vulnerabilities remained open?
How many incidents have been prevented or successfully contained with current cybersecurity efforts? Could we have had the same results without these efforts? How can we tell?
What’s been the role of cybersecurity in deterring attacks or preventing errors threatening business at any level? Can we say confidently that no attacks and no errors would have been made in the absence of our cybersecurity efforts?
Where do we have gaps in cybersecurity? What could happen if we don’t close the gaps in the following weeks?
A different narrative, shifting cognitive reference points, and thinking about realistic counterfactuals can help in better positioning cybersecurity operations.
We know from psychology and marketing that the way options, messages, and situations are presented (framed) influences how they are perceived or judged. Here’s one catchy example shared by Richard Shotton: a grocery store in Stockholm wanted to sell more organic bananas than the usual non-organic ones. To avoid explaining the benefits of organic bananas, the grocer labeled both types as “organic bananas” and “Bananas sprayed with pesticides.” Guess what happened next.
The same applies to information security as a field, service, or responsibility. Cybersecurity is typically framed only as an IT subject or branch, and the mental representation that this creates is just instrumental, like with not enough relevance. Hepfer and Powell wrote the following: “[executives] told us that their biggest mistake in the period before the NotPetya attack was to treat cybersecurity as an operational issue.” This immediate link only with IT puts a barrier between cybersecurity and strategic thought. The company’s ability to stay in business is left in the background, as IT is salient. That comes later when it is too late.
Another consequence of the usual framing is inertia, a well-known behavioral tendency. As the authors state in the paper, “the cognitive tendency is to carry on with the same strategic priorities, interpreting the absence of a cyberattack as evidence that the company is on the right track.” Furthermore, the tendency creates and preserves an illusion of control when no incident is in place. What if there is a breach that hasn’t been detected? “Cyberattacks are nonroutine and hard to plan for, and many executives have not experienced a serious cyberattack.” It appears executives follow the saying inertially, “if it ain’t broke, don’t fix it.” Hepfer and Powell’s paper show how dangerous this is.
A final comment using a behavioral lens: cybersecurity, at its core, is an intertemporal choice. Cybersecurity is about decisions we make today and the future consequences of those decisions. If you save money today and keep doing it, you’ll enjoy a good retirement. If you invest today in cybersecurity and keep cybersecurity investments, your business will be more likely to thrive. However, good cybersecurity is about adapting to the changing landscape and making a business sustainable and competitive by managing risks well today. In other words, cybersecurity does have a present impact on business. The trouble is that our cognition does not feel like this because we don’t see it.
In the paper, the researchers focused too on the intertemporal nature of cybersecurity. “Having experienced an attack, executives at the consumer products company recognized that cyberattacks can’t be prevented but must be prepared for, while the board realized that an attack’s impact is not limited to IT but rather affects the viability of the whole business.” For these executives, it took an attack with massive losses to think strategically about cybersecurity. The learning loop was closed abruptly. As humans, we are present-biased, and we engage in things that we can enjoy right away. In the absence of this type of feedback from experience, we have trouble thinking long-term.
Fluid Attacks provides services that contribute
to the problems and recommendations discussed in this post.
On the one hand, we have Continuous Hacking.
This is like the seismic resistance tests we referred to previously.
Vulnerabilities are identified, and customers can know the potential damage
if they remain open (an approximation to counterfactuals).
Furthermore, with our Attack Surface Manager,
an organization can communicate to all stakeholders
what’s behind the scenes that could impact the business.
This equals adopting transparency, allowing learning for the future,
and timely signaling what needs to be done quickly.
We hope you have enjoyed this post. Let us know what you think and reach us out if you want to know more about our solutions.
Corporate member of The OWASP Foundation