"So if Mr Blue Head here clicks the link...": Risk thinking in cyber security decision making

Ben Shreeve, Joseph Hallett, Matthew Edwards, Pauline Anthonysamy, Sylvain Frey, Awais Rashid

Research output: Contribution to journalArticle (Academic Journal)

Abstract

Cyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation’s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts, and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision-makers’ risk thinking—their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing data set derived from a tabletop cyber-physical systems security game [16]. Our analysis identifies four structural patterns of risk thinking and two reasoning strategies: risk-first and opportunity-first. Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53 [22] and ISO27001 [21]) are followed neither substantially nor exclusively when it comes to decision-making. Instead, our analysis finds that decision-making is affected by the plasticity of teams: that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.
Original languageEnglish
Journal ACM Transactions on Privacy and Security
DOIs
Publication statusAccepted/In press - 19 Aug 2020

Structured keywords

  • Cyber Security
  • decision making
  • cybersecurity professions
  • Jean Golding

Fingerprint Dive into the research topics of '"So if Mr Blue Head here clicks the link...": Risk thinking in cyber security decision making'. Together they form a unique fingerprint.

Cite this