Abstract
We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity.
Highlights
IntroductionThe aftermaths of recent major data breaches and cyberattacks—affecting organizations from Yahoo, Target, T-Mobile, Sony Pictures, and JP Morgan to the US Democratic National Committee—reveal how critical it is for organizations to remain vigilant and act effectively in protecting against cyber incidents
Using our simulation game tool, we have focused on understanding how managers make proactive investment decisions for building cybersecurity capabilities
The uncertainty surrounding the occurrence of cyber events, as shown in the differences in results from the two levels of the simulation game
Summary
The aftermaths of recent major data breaches and cyberattacks—affecting organizations from Yahoo, Target, T-Mobile, Sony Pictures, and JP Morgan to the US Democratic National Committee—reveal how critical it is for organizations to remain vigilant and act effectively in protecting against cyber incidents. In December 2016, Yahoo announced that over one billion accounts had been compromised in a recent incident (Kan, 2016). The threat posed by cyberattacks will continue to grow as attacks become more sophisticated and organizations continue to implement innovative technologies that often—albeit inadvertently—introduce new, more subtle vulnerabilities. Research suggests that attackers in cyberspace are rational and motivated by economic incentives (Jalali et al, 2017), and act strategically in identifying targets and approaches (Hui et al, 2017)—in other words, “The good guys are getting better, but the bad guys are getting badder faster” (Madnick, 2017). Perhaps there was a time a decade ago when cybersecurity was only a matter of “if” an organization was going to be compromised, but today it has become a question of “when,” and “at what level.”
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
