The Trouble With Cybersecurity Management

When navigating complexity in cybersecurity, iterative learning may have more impact than managerial experience.

Cybersecurity is becoming top of mind for customers and organizations, as highly publicized data breaches and cyberattacks at large corporations have revealed just how much damage a hacker can do by accessing or manipulating an organization’s systems. In addition to the immediate financial and operational consequences, a breached business often faces class-action lawsuits, regulatory fines, damage to its reputation, and a string of other ramifications.

Consider Yahoo. In April 2018, the company agreed to pay a $35 million fine for failing to report a 2014 data breach in which hackers stole personal information from hundreds of millions of user accounts. A month prior, a judge had ruled that the victims of the data breach had the right to sue Yahoo for negligence and breach of contract for not disclosing its systems’ security weaknesses.

Yahoo is not alone; a startling number of companies have faced public relations disasters surrounding security breaches in the past few years. On the one hand, the trend makes sense; cyberattacks are becoming more common than ever as hackers become more adept at penetrating systems. On the other hand, it doesn’t make sense, because while those carrying out cyberattacks are gaining more tools, so are the specialists who defend against them. Cybersecurity practices can — and need to — be better.

Despite the publicity around the Yahoo breach and other cases, most organizations still perform poorly with respect to cybersecurity management. Companies do not respond properly to cyber risk — instead, they underestimate or ignore altogether potential threats or rely solely on generic, off-the-shelf cybersecurity solutions. According to a 2017 report, a mere 19% of chief information security officers are confident about their companies’ abilities to address a cybersecurity incident.

Today’s ever-increasing cyber risks require businesses to use proactive decision-making in cybersecurity capability development. Allocating resources to cybersecurity should be a top priority of any manager. If an organization has strong cybersecurity protections and protocols in place before a breach, that organization can recover more quickly and incur fewer costs from cyberattacks. Unfortunately, proactive decision-making at the managerial level isn’t always easy or intuitive.

Complexity in Cybersecurity

It is best to work to comprehend cybersecurity in its full complexity, but complex systems are hardly intuitive. Managers’ problem-solving methods are typically reactive and event-oriented, meaning they will attempt to solve problems only after they occur. However, this approach fails to address connections among system components and delays between cause and effect. Like other complex systems, cybersecurity involves a variety of unpredictable variables that complicate the task of building effective cybersecurity capabilities.

As a systems scientist at MIT Sloan School of Management, I have made cybersecurity decision-making one of the central areas of my research. My colleagues and I recently set out to investigate a major question of cybersecurity development: How does managerial experience affect decision-making in cybersecurity?

Putting Experience to the Test

We developed a “management flight simulator” game to measure how different individuals invest in cybersecurity development. Though the game involves no flying — real or simulated — it is inspired by the flight simulators used by aircraft pilots. Pilots' training relies on virtual simulators to develop familiarity with the typical course of a flight and build reactivity to obstacles without fear of real-world consequences. In the same way, players use the management flight simulator to practice the critical decision-making duties that they perform for their organizations on a daily basis. In our study, those decisions involved cybersecurity investments and operations.

The two groups studied consisted of experienced managers and inexperienced students. The experienced group had an average history of 15 years in IT and cybersecurity positions in a variety of industries, while the inexperienced group was comprised of graduate students preparing to take an introductory course on information technology. The flight simulator placed players in a virtual setting in which they were tasked with allocating resources to cybersecurity capabilities.

Success in the game is based on a player’s ability to make a high accumulated profit at the end of the simulated five-year period. The key to winning is proactive decision-making, shown by investing very early on, before an attack can occur. When proactive players invest in cybersecurity, they make noticeably less profit than reactive players in the early stages of the game. But once cyberattacks begin to occur, proactive players perform much better over the rest of the simulation.

Perhaps surprisingly, experienced managers performed no better than inexperienced players in the game. Furthermore, inexperienced players appeared to adapt more easily to random attacks, whereas experienced managers struggled when cyberattacks occurred at unpredictable — rather than fixed — intervals.

Managerial Biases

Past research actually offers an explanation. In general, experienced managers tend to turn to processes that have worked well in the past. They may not adapt as quickly to new situations or technologies, because they’ve already developed routines and decision-making habits over the course of their tenures in their fields. Managers are unlikely to invest time and resources to justify defense or recovery for something that doesn’t seem like a real possibility. A manager’s assessment of probability is often based on perceptual characteristics, such as distance, scale, or size. Before a company has experienced a cyberattack firsthand, it is difficult to gauge the probability of an attack, which diminishes the perceived likelihood of an attack taking place.

This is not to say that experienced managers are a lost cause or that we recommend hiring inexperienced students to make decisions regarding cybersecurity. Rather, our findings point to a greater issue. Research shows that humans do not have strong intuition when it comes to low-probability, high-consequence scenarios. In the case of cybersecurity, a rational decision-maker invests in information security if the investment yields a positive return, or if the cost of the investment is less than that of the risk it eliminates. Difficulties in measuring the costs and benefits of information security investments cloud the vision of the rational decision-maker. In addition to a high level of complexity, there is also a lack of historical data, effective metrics related to cyberattacks, and knowledge concerning the type and range of uncertainties involved.

Applying Training Tools

Though experienced managers did not fare better than inexperienced students in terms of their overall earnings in the game, a significant positive correlation was observed between the number of runs they played in the game and their success. Training tools like the management flight simulator are essential tools for managers to improve their decision-making and build effective cybersecurity systems in organizations. Through iterative learning, managers observe the complexities of cybersecurity and the power of feedback delays and learn effective methods for facing trade-offs and optimizing strategy developments.

Management flight simulators are useful in that they allow users to observe the long-term consequences of a decision or a series of decisions. They also facilitate an iterative learning process — managers can implement their decisions, advance the game, monitor the impact of their decisions over time, reset the simulation, and repeat the process with different sets of decisions. Similar applications have been developed in other fields, like climate policy and health policy.

Cybersecurity concerns don’t just affect IT departments and isolated response teams. Though it can often seem abstract or merely technological, cybersecurity, when improperly managed, can have very tangible consequences. Considering the financial risk involved, the responsibility of addressing cybersecurity issues should belong to managers at high organizational levels. Greater awareness of cybersecurity’s complexity and training programs like simulation models are increasingly necessary for managers to prepare for the reality of dealing with cyber threats.