Projects per year
Abstract
Cyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation’s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts, and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision-makers’ risk thinking—their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing data set derived from a tabletop cyber-physical systems security game [16]. Our analysis identifies four structural patterns of risk thinking and two reasoning strategies: risk-first and opportunity-first. Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53 [22] and ISO27001 [21]) are followed neither substantially nor exclusively when it comes to decision-making. Instead, our analysis finds that decision-making is affected by the plasticity of teams: that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.
Original language | English |
---|---|
Article number | 5 |
Number of pages | 29 |
Journal | ACM Transactions on Privacy and Security |
Volume | 24 |
Issue number | 1 |
DOIs | |
Publication status | Published - 1 Nov 2020 |
Research Groups and Themes
- Cyber Security
- decision making
- cybersecurity professions
- Jean Golding
Fingerprint
Dive into the research topics of '"So if Mr Blue Head here clicks the link...": Risk thinking in cyber security decision making'. Together they form a unique fingerprint.Projects
- 2 Finished
-
DYPOSIT: Dynamic Policies for Shared Cyber-Physical Infrastructures under Attack
Rashid, A. (Principal Investigator)
1/01/18 → 31/10/20
Project: Research
-
MUMBA: Multi-faceted Metrics for ICS Business Risk Analysis
Rashid, A. (Principal Investigator)
1/10/14 → 31/12/17
Project: Research