Abstract
Cyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation’s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision makers’ risk thinking—their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing dataset derived from a tabletop cyber-physical systems security game. Our analysis identifies four structural patterns of risk thinking and two reasoning strategies: risk-first and opportunity-first. Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53 and ISO 27001) are followed neither substantially nor exclusively when it comes to decision making. Instead, our analysis finds that decision making is affected by the plasticity of teams—that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.
- Douglas G. Altman. 1990. Practical Statistics for Medical Research. CRC Press, Boca Raton, FL.Google Scholar
- Kristian Beckers and Sebastian Pape. 2016. A serious game for eliciting social engineering security requirements. In Proceedings of the 2016 IEEE 24th International Requirements Engineering Conference (RE’16). IEEE, Los Alamitos, CA, 16--25.Google Scholar
Cross Ref
- Kevin Bock, George Hughey, and Dave Levin. 2018. King of the Hill: A novel cybersecurity competition for teaching penetration testing. In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE’18). 9.Google Scholar
- Lawrence D. Bodin, Lawrence A. Gordon, and Martin P. Loeb. 2005. Evaluating information security investments using the analytic hierarchy process. Communications of the ACM 48, 2 (2005), 78--83.Google Scholar
Digital Library
- Lawrence D. Bodin, Lawrence A. Gordon, and Martin P. Loeb. 2008. Information security and risk management. Communications of the ACM 51, 4 (2008), 64.Google Scholar
Digital Library
- Gary Bornstein, Tamar Kugler, and Anthony Ziegelmeyer. 2004. Individual and group decisions in the centipede game: Are groups more “ rational” players? Journal of Experimental Social Psychology 40, 5 (2004), 599--605.Google Scholar
Cross Ref
- Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. 2004. A model for evaluating IT security investments. Communications of the ACM 47, 7 (2004), 87--92.Google Scholar
Digital Library
- Clare Chua Chow and Rakesh K Sarin. 2002. Known, unknown, and unknowable uncertainties. Theory and Decision 52, 2 (2002), 127--138.Google Scholar
Cross Ref
- Lizzie Coles-Kemp and Richard E. Overill. 2007. On the role of the facilitator in information security risk assessment. Journal in Computer Virology 3, 2 (2007), 143--148.Google Scholar
Cross Ref
- Louis Anthony Cox Jr. 2008. Some limitations of “risk = threat × vulnerability × consequence” for risk analysis of terrorist attacks. Risk Analysis: An International Journal 28, 6 (2008), 1749--1761.Google Scholar
Cross Ref
- James W. Dean Jr. and Mark P. Sharfman. 1996. Does decision process matter? A study of strategic decision-making effectiveness. Academy of Management Journal 39, 2 (1996), 368--392.Google Scholar
- Tamara Denning, Adam Lerner, Adam Shostack, and Tadayoshi Kohno. 2013. Control-Alt-Hack: The design and evaluation of a card game for computer security awareness and education. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 915--928. DOI:https://doi.org/10.1145/2508859.2516753Google Scholar
Digital Library
- Julie S. Downs, Mandy Holbrook, and Lorrie Faith Cranor. 2007. Behavioral response to phishing risk. In Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit. ACM, New York, NY, 37--44.Google Scholar
Digital Library
- Julie S. Downs, Mandy B. Holbrook, and Lorrie Faith Cranor. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the 2nd Symposium on Usable Privacy and Security. ACM, New York, NY, 79--90.Google Scholar
Digital Library
- Daniel Feledi, Stefan Fenz, and Lukas Lechner. 2013. Toward web-based information security knowledge sharing. Information Security Technical Report 17, 4 (2013), 199--209.Google Scholar
- Sylvain Frey, Awais Rashid, Pauline Anthonysamy, Maria Pinto-Albuquerque, and Syed Asad Naqvi. 2019. The good, the bad and the ugly: A study of security decisions in a cyber-physical systems game. IEEE Transactions on Software Engineering 45, 5 (2019), 521--536.Google Scholar
Cross Ref
- Yolanda Gil and Donovan Artz. 2007. Towards content trust of web resources. Web Semantics: Science, Services and Agents on the World Wide Web 5, 4 (2007), 227--239.Google Scholar
Digital Library
- Deborah L. Gladstein and Nora P. Reilly. 1985. Group decision making under threat: The tycoon game. Academy of Management Journal 28, 3 (1985), 613--627.Google Scholar
- Mark Gondree and Zachary N. J. Peterson. 2013. Valuing security by getting [d0x3d!]: Experiences with a network security board game. In Proceedings of the 6th Workshop on Cyber Security Experimentation and Test (CSET’13). 8.Google Scholar
- Lawrence A. Gordon and Martin P. Loeb. 2002. The economics of information security investment. ACM Transactions on Information and System Security 5, 4 (2002), 438--457.Google Scholar
Digital Library
- ISO/IEC. 2013. ISO/IEC 27001. Technical Report. ISO/IEC. https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en.Google Scholar
- Information Technology Laboratory (ITIL). 2015. NIST Special Publication 800-53 (v4 ed.). Technical Report. ITIL.Google Scholar
- Mohammad S. Jalali, Michael Siegel, and Stuart Madnick. 2019. Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment. Journal of Strategic Information Systems 28, 1 (2019), 66--82.Google Scholar
Cross Ref
- Ann C. Keller, Chris K. Ansell, Arthur L. Reingold, Mathilde Bourrier, Mark D. Hunter, Sahai Burrowes, and Theresa M. MacPhail. 2012. Improving pandemic response: A sensemaking perspective on the spring 2009 H1N1 pandemic. Risk, Hazards 8 Crisis in Public Policy 3, 2 (2012), 1--37.Google Scholar
- Kari Kelton, Kenneth R. Fleischmann, and William A. Wallace. 2008. Trust in digital information. Journal of the American Society for Information Science and Technology 59, 3 (2008), 363--374.Google Scholar
Cross Ref
- James Kendra and Tricia Wachtendorf. 2006. The Waterborne Evacuation of Lower Manhattan on September 11: A Case of Distributed Sensemaking. Disaster Research Center.Google Scholar
- Martin G. Kocher and Matthias Sutter. 2006. Time is money—Time pressure, incentives, and the quality of decision-making. Journal of Economic Behavior 8 Organization 61, 3 (2006), 375--392.Google Scholar
Cross Ref
- Gary McGraw. 1997. Testing for security during development: Why we should scrap penetrate-and-patch. In Proceedings of the 12th Annual Conference on Computer Assurance (COMPASS’97). IEEE, Los Alamitos, CA, 117--119.Google Scholar
Cross Ref
- Andrew M’manga, Shamal Faily, John McAlaney, and Christopher Williams. 2017. Folk risk analysis: Factors influencing security analysts’ interpretation of risk. In Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS’17).Google Scholar
- Tyler Moore, Scott Dynes, and Frederick R. Chang. 2015. Identifying How Firms Manage Cybersecurity Investment. Technical Report. Darwin Deason Institute for Cybersecurity, Southern Methodist University. http://blog.smu.edu/research/files/2015/10/SMU-IBM.pdf.Google Scholar
- John R. Morelock and Zachary Peterson. 2018. Authenticity, ethicality, and motivation: A formal evaluation of a 10-week computer security alternate reality game for CS undergraduates. In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE’18). 11.Google Scholar
- Sai T. Moturu and Huan Liu. 2011. Quantifying the trustworthiness of social media content. Distributed and Parallel Databases 29, 3 (2011), 239--260.Google Scholar
Digital Library
- National Bureau of Standards, Federal Information Processing Standards Publications (FIPS PUB) 65. 1975. Guideline for Automatic Data Processing Risk Analysis. FIPS PUB.Google Scholar
Cross Ref
- Jason R. C. Nurse, Sadie Creese, Michael Goldsmith, and Koen Lamberts. 2011. Trustworthy and effective communication of cybersecurity risks: A review. In Proceedings of the 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST’11). IEEE, Los Alamitos, CA, 60--68.Google Scholar
Cross Ref
- Cabinet Office. 2011. Keeping the Country Running: Natural Hazards and Infrastructure. Cabinet Office.Google Scholar
- Alison J. Pickard, Pat Gannon-Leary, and Lynne Coventry. 2010. Trust in ‘E’: Users’ trust in information resources in the web environment. In Proceedings of the International Conference on ENTERprise Information Systems. 305--314.Google Scholar
Cross Ref
- Rex Kelly Rainer Jr., Charles A. Snyder, and Houston H. Carr. 1991. Risk analysis for information technology. Journal of Management Information Systems 8, 1 (1991), 129--147.Google Scholar
Digital Library
- Ortwin Renn. 1998. The role of risk perception for risk management. Reliability Engineering 8 System Safety 59, 1 (1998), 49--62.Google Scholar
- Ortwin Renn. 2008. Risk Governance: Coping with Uncertainty in a Complex World. Routledge.Google Scholar
Cross Ref
- John R. Searle, Ferenc Kiefer, and Manfred Bierwisch. 1980. Speech Act Theory and Pragmatics. Vol. 10. Springer.Google Scholar
- Adam Shostack. 2014. Elevation of privilege: Drawing developers into threat modeling. In Proceedings of the 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE’14).Google Scholar
- Paul Slovic. 1987. Perception of risk. Science 236, 4799 (1987), 280--285.Google Scholar
- Joseph St. Germain and Gershon Tenenbaum. 2011. Decision-making and thought processes among poker players. High Ability Studies 22, 1 (2011), 3--17.Google Scholar
Cross Ref
- William H. Starbuck and Frances J. Milliken. 1988. Executives’ perceptual filters: What they notice and how they make sense. In The Executive Effect: Concepts and Methods for Studying Top Managers, D. Hambrick (Ed.). JAI Press, 33--65.Google Scholar
- Rock Stevens, Daniel Votipka, Elissa M. Redmiles, Colin Ahern, Patrick Sweeney, and Michelle L. Mazurek. 2018. The battle for New York: A case study of applied digital threat modeling at the enterprise level. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). 621--637.Google Scholar
- Detmar W. Straub and Richard J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22, 4 (1998), 441--469.Google Scholar
Digital Library
- Lucy Suchman. 2007. Human-Machine Reconfigurations. Cambridge University Press.Google Scholar
- Ping An Wang and Easwar Nyshadham. 2011. Knowledge of online security risks and consumer decision making: An experimental study. In Proceedings of the 2011 44th Hawaii International Conference on System Sciences (HICSS’11). IEEE, Los Alamitos, CA, 1--10.Google Scholar
Digital Library
- Karl E. Weick. 1993. The collapse of sensemaking in organizations: The Mann Gulch disaster. Administrative Science Quarterly 38 (1993), 628--652.Google Scholar
Cross Ref
- Karl E. Weick. 1995. Sensemaking in Organizations. Vol. 3. Sage.Google Scholar
- Darius Wiles and Dave Dugal. 2015. Common Vulnerability Scoring System v3.0: Specification Document. Technical Report. FIRST.Google Scholar
- Yan Xu, Evan Barba, Iulian Radu, Maribeth Gandy, and Blair MacIntyre. 2011. Chores are fun: Understanding social play in board games for digital tabletop game design. In Proceedings of the 2011 DiGRA International Conference.Google Scholar
Index Terms
“So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making
Recommendations
The design of AHPEC in web-based decision support system for making decision
AIC'10/BEBI'10: Proceedings of the 10th WSEAS international conference on applied informatics and communications, and 3rd WSEAS international conference on Biomedical electronics and biomedical informaticsThis paper presents the architecture of the WDSS using AHPEC for making decision. The WDSS-AHPEC involves client, user interface, server, web server, database, and DSS model. The DSS model in this study is using AHPEC method. In applying AHPEC, it ...
Information Security Policy Decision Making: An Analytic Hierarchy Process Approach
AMS '09: Proceedings of the 2009 Third Asia International Conference on Modelling & SimulationThis paper addresses the use of a specific decision support methodology in operational research termed the Analytic Hierarchy Process (AHP). We examine the application of AHP method in guiding information security policy decision making with respect to ...






Comments