The Rest of the Cybersecurity Story

Semiconscious decision-making is a common but too often unacknowledged cause of cyber risks.

Reading Time: 8 min 


Permissions and PDF

News stories about cyberattacks — SolarWinds, Colonial Pipeline, Capital One, Equifax, and many others — have become all too common. The stories usually focus on what happened, with little about the “how” and almost nothing about the “why.” But when the “why” isn’t examined, the circumstances that made the cyberattack possible are rarely addressed. What’s the rest of the story?1

Consider a simple example: A bank is robbed; that’s the “what.” The “how” might be that the burglar alarm failed to go off. And that’s usually the end of the story: There was an unfortunate malfunction.

But digging deeper, we might learn that the alarm system was known to be old and unreliable. Funds had been allocated to replace it, but someone in management decided to instead use them for a marketing campaign to attract more customers.

I call this semiconscious decision-making, because someone made a decision — not to replace the burglar alarm — without considering the possible consequences of that choice, namely, losing all the cash. In essence, that decision created the circumstance for the robbery.

That isn’t just an interesting hypothetical example; our Cybersecurity at MIT Sloan (CAMS) research group studied many cyberattacks and found that every major attack was a result of semiconscious decision-making, which is rarely studied and thus rarely corrected.

Multiple Layers of Defense

There’s an adage that thieves have an advantage because they only have to find one way in, whereas the defenders must be sure that every entryway is locked. But actually, defenders often have the advantage.

In the case of a cyberattack, this is because the attacker must successfully complete multiple steps, each of which offers the defender an opportunity to halt the intrusion or at least mitigate its impact. Effectively, the attacker must find not simply a single way in but the precise sequence of steps that will enable the cyberattack to succeed.

What’s the rest of the story behind our bank robbery example? It might not be reported that the bank president had given the vault lock code to an assistant, written on a piece of paper left atop the assistant’s desk, which the burglars were able to find.



1.The Rest of the Story” was a radio segment that aired for more than 30 years, ending in 2009. In each episode, host Paul Harvey presented the backstories of historical events and always ended his broadcasts with the tagline “And now you know the rest of the story.”

Reprint #:


More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.