The document explores the behavioral science reasons behind executives' underinvestment in cybersecurity, identifying four main issues: differing risk perceptions, opposing mental models, overconfidence in current investments, and misdirected attention. It recommends reframing risks in relatable terms, adjusting success metrics, employing benchmarking strategies, and engaging decision-makers through simulated attacks. The goal is to enhance executive commitment to cybersecurity investments.

1. A Behavioral Science Perspective
WHY EXECUTIVES UNDERINVEST
IN CYBERSECURITY
HackerOne + ideas42 Webinar | October 10, 2017

2. © 2017 ideas42 2
We use insights from the behavioral sciences
to design solutions to some of the world’s most persistent
social problems.
What is ?

3. © 2017 ideas42 3
WHAT WE’LL
COVER
TODAY • Dive into why executives underinvest in
cybersecurity
• Examine using the lens of behavioral
science
• Point to steps security executives and
professionals can take to motivate decision
makers to invest more in cybersecurity

4. © 2017 ideas42 4
WE DID OUR RESEARCH!
60+ Expert Interviews
120+ Research Articles

5. © 2017 ideas42 5
A QUICK PRIMER ON BEHAVIORAL SCIENCE
odd choice.

6. © 2017 ideas42 6
© 2015 ideas42 6
4 behavioral reasons
why executives underinvest in cybersecurity
and what you can do about it

7. © 2017 ideas42 7
© 2015 ideas42 7
1. Thinking about risk differently

8. © 2017 ideas42 8
CISO: They aren’t making patches
for these legacy servers anymore, so
we can’t update the firmware,
leaving us open to attack. They
should be replaced as soon as
possible.
PROBLEM: DIFFERENT WAYS OF DESCRIBING AND
THINKING ABOUT RISKS
CEO: What does that
have to do with the
price of codfish in
China?

9. © 2017 ideas42 9
PROBLEM: DIFFERENT WAYS OF DESCRIBING AND
THINKING ABOUT RISKS
CISO: Risks to
security
infrastructure
CEO: Risks to the
organization as a
whole

10. © 2017 ideas42 10
SOLUTION: REFRAME RISKS IN VIVID TERMS FOR
EXECUTIVES
Cyber Problem
Legacy servers are
unpatched and need
to be replaced or
else risk an attack
Org Problem
Legacy servers are
where the accounting
system lives, and if
that goes down we’ll
lose all our financial
data
TRANSLATION

11. © 2017 ideas42 11
SOLUTION: REFRAME RISKS IN VIVID TERMS FOR
EXECUTIVES
Cyber Problem
Legacy servers are
unpatched and need
to be replaced or
else risk an attack
Org Problem
Legacy servers are
where the accounting
system lives, and if
that goes down we’ll
lose all our financial
data
TRANSLATION
Ok, take my
$$$

12. © 2017 ideas42 12
© 2015 ideas42 12
2. Opposing mental models

13. © 2017 ideas42 13
PROBLEM: OPPOSING MENTAL MODELS
Chaos and complexity Simplified mental model

14. © 2017 ideas42 14
PROBLEM: OPPOSING MENTAL MODELS
Simplified mental model
• Supports quick thinking
• Organize and integrate new information
• Make predictions about the future changes
• Influence attention

15. © 2017 ideas42 15
PROBLEM: OPPOSING MENTAL MODELS
How a security expert thinks
about cybersecurity
How the CEO thinks about
cybersecurity

16. © 2017 ideas42 16
PROBLEM: OPPOSING MENTAL MODELS
How a security expert thinks
about cybersecurity
How the CEO thinks about
cybersecurity

17. © 2017 ideas42 17
SOLUTION: REFRAME METRICS FOR SUCCESS
MITIGATION
MANAGEMENT
Success == No breaches
Success == Finding lots of
vulnerabilities and fixing them

18. © 2017 ideas42 18
SOLUTION: REFRAME METRICS FOR SUCCESS
MANAGEMENT
Success == Finding lots of
vulnerabilities and fixing them
Focus is no longer on system, but on process
In addition to detection, core competencies now also
include identification and remediation

19. © 2017 ideas42 19
© 2015 ideas42 19
3. Overconfidence in current investments

20. © 2017 ideas42 20
PROBLEM: OVERCONFIDENCE IN INVESTMENTS
0
10
20
30
40
50
60
70
80
90
Is your cybersecurity program better than average?
Overconfidence Much?
Yes No
46%
of surveyed CISOs
believed that their
company was investing
enough, but only
7%
believed that their
peers were**Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity investment. University of California, Berkeley.

21. © 2017 ideas42 21
PROBLEM: OVERCONFIDENCE IN INVESTMENTS
Context: Standards Context: Bad Feedback Systems

22. © 2017 ideas42 22
SOLUTION: CLEAR BENCHMARKING
0% 100%
Your company’s score
The average score in your domain
The top 10% in your domain
How’s my cybersecurity program? • Baseline against similar
firms
• Poll other firms about
their own practices
• Poll peers about how
well your own firm is
doing relative to others
• Integrate others’ best
practices

23. © 2017 ideas42 23
© 2015 ideas42 23
4. Attention is on the wrong things

24. © 2017 ideas42 24
PROBLEM: ATTENTION IS ON WRONG THINGS
Unhelpful Mental Models Availability Bias

25. © 2017 ideas42 25
Attention
PROBLEM: ATTENTION IS ON WRONG THINGS

26. © 2017 ideas42 26
SOLUTION: BREAK THE SYSTEM
Pentesting and bug
bounty programs
Make key decision makers the
victims of internally initiated
(and safe) attacks

27. © 2017 ideas42 27
© 2015 ideas42 27
To summarize…

28. © 2017 ideas42 28
FOUR KEY TAKEAWAYS FOR INCREASING
EXECUTIVE INVESTMENT IN CYBER
Vividly connect cyber risks to organizational risks for execs
Use process metrics as opposed to outcome metrics to ”fix”
executives mental models about cyber programs
Survey your peers to help curb overconfidence
Break the system (with help)!

29. © 2017 ideas42 29
TO LEARN MORE!
Check out: Deep Thought: A Cybersecurity
Story at ideas42.org/cyber
Check out:
The Behavioral
Economics of Why
Executives Underinvest
in Cybersecurity
at HBR.org

30. © 2017 ideas42 30
THANK YOU!
ablau@ideas42.org

31. Q&A