"So if Mr Blue Head here clicks the link...": Risk thinking in cyber security decision making

Ben Shreeve, Joseph Hallett, Matthew Edwards, Pauline Anthonysamy, Sylvain Frey, Awais Rashid

Research output: Contribution to journalArticle (Academic Journal)peer-review

6 Citations (Scopus)
390 Downloads (Pure)


Cyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation’s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts, and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision-makers’ risk thinking—their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing data set derived from a tabletop cyber-physical systems security game [16]. Our analysis identifies four structural patterns of risk thinking and two reasoning strategies: risk-first and opportunity-first. Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53 [22] and ISO27001 [21]) are followed neither substantially nor exclusively when it comes to decision-making. Instead, our analysis finds that decision-making is affected by the plasticity of teams: that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.
Original languageEnglish
Article number5
Number of pages29
Journal ACM Transactions on Privacy and Security
Issue number1
Publication statusPublished - 1 Nov 2020

Structured keywords

  • Cyber Security
  • decision making
  • cybersecurity professions
  • Jean Golding


Dive into the research topics of '"So if Mr Blue Head here clicks the link...": Risk thinking in cyber security decision making'. Together they form a unique fingerprint.

Cite this