skip to main content
research-article

“So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making

Published:08 November 2020Publication History
Skip Abstract Section

Abstract

Cyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation’s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision makers’ risk thinking—their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing dataset derived from a tabletop cyber-physical systems security game.  Our analysis identifies four structural patterns of risk thinking and two reasoning strategies: risk-first and opportunity-first. Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53 and ISO 27001) are followed neither substantially nor exclusively when it comes to decision making. Instead, our analysis finds that decision making is affected by the plasticity of teams—that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.

References

  1. Douglas G. Altman. 1990. Practical Statistics for Medical Research. CRC Press, Boca Raton, FL.Google ScholarGoogle Scholar
  2. Kristian Beckers and Sebastian Pape. 2016. A serious game for eliciting social engineering security requirements. In Proceedings of the 2016 IEEE 24th International Requirements Engineering Conference (RE’16). IEEE, Los Alamitos, CA, 16--25.Google ScholarGoogle ScholarCross RefCross Ref
  3. Kevin Bock, George Hughey, and Dave Levin. 2018. King of the Hill: A novel cybersecurity competition for teaching penetration testing. In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE’18). 9.Google ScholarGoogle Scholar
  4. Lawrence D. Bodin, Lawrence A. Gordon, and Martin P. Loeb. 2005. Evaluating information security investments using the analytic hierarchy process. Communications of the ACM 48, 2 (2005), 78--83.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Lawrence D. Bodin, Lawrence A. Gordon, and Martin P. Loeb. 2008. Information security and risk management. Communications of the ACM 51, 4 (2008), 64.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Gary Bornstein, Tamar Kugler, and Anthony Ziegelmeyer. 2004. Individual and group decisions in the centipede game: Are groups more “ rational” players? Journal of Experimental Social Psychology 40, 5 (2004), 599--605.Google ScholarGoogle ScholarCross RefCross Ref
  7. Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan. 2004. A model for evaluating IT security investments. Communications of the ACM 47, 7 (2004), 87--92.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Clare Chua Chow and Rakesh K Sarin. 2002. Known, unknown, and unknowable uncertainties. Theory and Decision 52, 2 (2002), 127--138.Google ScholarGoogle ScholarCross RefCross Ref
  9. Lizzie Coles-Kemp and Richard E. Overill. 2007. On the role of the facilitator in information security risk assessment. Journal in Computer Virology 3, 2 (2007), 143--148.Google ScholarGoogle ScholarCross RefCross Ref
  10. Louis Anthony Cox Jr. 2008. Some limitations of “risk = threat × vulnerability × consequence” for risk analysis of terrorist attacks. Risk Analysis: An International Journal 28, 6 (2008), 1749--1761.Google ScholarGoogle ScholarCross RefCross Ref
  11. James W. Dean Jr. and Mark P. Sharfman. 1996. Does decision process matter? A study of strategic decision-making effectiveness. Academy of Management Journal 39, 2 (1996), 368--392.Google ScholarGoogle Scholar
  12. Tamara Denning, Adam Lerner, Adam Shostack, and Tadayoshi Kohno. 2013. Control-Alt-Hack: The design and evaluation of a card game for computer security awareness and education. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS’13). ACM, New York, NY, 915--928. DOI:https://doi.org/10.1145/2508859.2516753Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Julie S. Downs, Mandy Holbrook, and Lorrie Faith Cranor. 2007. Behavioral response to phishing risk. In Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit. ACM, New York, NY, 37--44.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Julie S. Downs, Mandy B. Holbrook, and Lorrie Faith Cranor. 2006. Decision strategies and susceptibility to phishing. In Proceedings of the 2nd Symposium on Usable Privacy and Security. ACM, New York, NY, 79--90.Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Daniel Feledi, Stefan Fenz, and Lukas Lechner. 2013. Toward web-based information security knowledge sharing. Information Security Technical Report 17, 4 (2013), 199--209.Google ScholarGoogle Scholar
  16. Sylvain Frey, Awais Rashid, Pauline Anthonysamy, Maria Pinto-Albuquerque, and Syed Asad Naqvi. 2019. The good, the bad and the ugly: A study of security decisions in a cyber-physical systems game. IEEE Transactions on Software Engineering 45, 5 (2019), 521--536.Google ScholarGoogle ScholarCross RefCross Ref
  17. Yolanda Gil and Donovan Artz. 2007. Towards content trust of web resources. Web Semantics: Science, Services and Agents on the World Wide Web 5, 4 (2007), 227--239.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Deborah L. Gladstein and Nora P. Reilly. 1985. Group decision making under threat: The tycoon game. Academy of Management Journal 28, 3 (1985), 613--627.Google ScholarGoogle Scholar
  19. Mark Gondree and Zachary N. J. Peterson. 2013. Valuing security by getting [d0x3d!]: Experiences with a network security board game. In Proceedings of the 6th Workshop on Cyber Security Experimentation and Test (CSET’13). 8.Google ScholarGoogle Scholar
  20. Lawrence A. Gordon and Martin P. Loeb. 2002. The economics of information security investment. ACM Transactions on Information and System Security 5, 4 (2002), 438--457.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. ISO/IEC. 2013. ISO/IEC 27001. Technical Report. ISO/IEC. https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en.Google ScholarGoogle Scholar
  22. Information Technology Laboratory (ITIL). 2015. NIST Special Publication 800-53 (v4 ed.). Technical Report. ITIL.Google ScholarGoogle Scholar
  23. Mohammad S. Jalali, Michael Siegel, and Stuart Madnick. 2019. Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment. Journal of Strategic Information Systems 28, 1 (2019), 66--82.Google ScholarGoogle ScholarCross RefCross Ref
  24. Ann C. Keller, Chris K. Ansell, Arthur L. Reingold, Mathilde Bourrier, Mark D. Hunter, Sahai Burrowes, and Theresa M. MacPhail. 2012. Improving pandemic response: A sensemaking perspective on the spring 2009 H1N1 pandemic. Risk, Hazards 8 Crisis in Public Policy 3, 2 (2012), 1--37.Google ScholarGoogle Scholar
  25. Kari Kelton, Kenneth R. Fleischmann, and William A. Wallace. 2008. Trust in digital information. Journal of the American Society for Information Science and Technology 59, 3 (2008), 363--374.Google ScholarGoogle ScholarCross RefCross Ref
  26. James Kendra and Tricia Wachtendorf. 2006. The Waterborne Evacuation of Lower Manhattan on September 11: A Case of Distributed Sensemaking. Disaster Research Center.Google ScholarGoogle Scholar
  27. Martin G. Kocher and Matthias Sutter. 2006. Time is money—Time pressure, incentives, and the quality of decision-making. Journal of Economic Behavior 8 Organization 61, 3 (2006), 375--392.Google ScholarGoogle ScholarCross RefCross Ref
  28. Gary McGraw. 1997. Testing for security during development: Why we should scrap penetrate-and-patch. In Proceedings of the 12th Annual Conference on Computer Assurance (COMPASS’97). IEEE, Los Alamitos, CA, 117--119.Google ScholarGoogle ScholarCross RefCross Ref
  29. Andrew M’manga, Shamal Faily, John McAlaney, and Christopher Williams. 2017. Folk risk analysis: Factors influencing security analysts’ interpretation of risk. In Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS’17).Google ScholarGoogle Scholar
  30. Tyler Moore, Scott Dynes, and Frederick R. Chang. 2015. Identifying How Firms Manage Cybersecurity Investment. Technical Report. Darwin Deason Institute for Cybersecurity, Southern Methodist University. http://blog.smu.edu/research/files/2015/10/SMU-IBM.pdf.Google ScholarGoogle Scholar
  31. John R. Morelock and Zachary Peterson. 2018. Authenticity, ethicality, and motivation: A formal evaluation of a 10-week computer security alternate reality game for CS undergraduates. In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE’18). 11.Google ScholarGoogle Scholar
  32. Sai T. Moturu and Huan Liu. 2011. Quantifying the trustworthiness of social media content. Distributed and Parallel Databases 29, 3 (2011), 239--260.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. National Bureau of Standards, Federal Information Processing Standards Publications (FIPS PUB) 65. 1975. Guideline for Automatic Data Processing Risk Analysis. FIPS PUB.Google ScholarGoogle ScholarCross RefCross Ref
  34. Jason R. C. Nurse, Sadie Creese, Michael Goldsmith, and Koen Lamberts. 2011. Trustworthy and effective communication of cybersecurity risks: A review. In Proceedings of the 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST’11). IEEE, Los Alamitos, CA, 60--68.Google ScholarGoogle ScholarCross RefCross Ref
  35. Cabinet Office. 2011. Keeping the Country Running: Natural Hazards and Infrastructure. Cabinet Office.Google ScholarGoogle Scholar
  36. Alison J. Pickard, Pat Gannon-Leary, and Lynne Coventry. 2010. Trust in ‘E’: Users’ trust in information resources in the web environment. In Proceedings of the International Conference on ENTERprise Information Systems. 305--314.Google ScholarGoogle ScholarCross RefCross Ref
  37. Rex Kelly Rainer Jr., Charles A. Snyder, and Houston H. Carr. 1991. Risk analysis for information technology. Journal of Management Information Systems 8, 1 (1991), 129--147.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Ortwin Renn. 1998. The role of risk perception for risk management. Reliability Engineering 8 System Safety 59, 1 (1998), 49--62.Google ScholarGoogle Scholar
  39. Ortwin Renn. 2008. Risk Governance: Coping with Uncertainty in a Complex World. Routledge.Google ScholarGoogle ScholarCross RefCross Ref
  40. John R. Searle, Ferenc Kiefer, and Manfred Bierwisch. 1980. Speech Act Theory and Pragmatics. Vol. 10. Springer.Google ScholarGoogle Scholar
  41. Adam Shostack. 2014. Elevation of privilege: Drawing developers into threat modeling. In Proceedings of the 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE’14).Google ScholarGoogle Scholar
  42. Paul Slovic. 1987. Perception of risk. Science 236, 4799 (1987), 280--285.Google ScholarGoogle Scholar
  43. Joseph St. Germain and Gershon Tenenbaum. 2011. Decision-making and thought processes among poker players. High Ability Studies 22, 1 (2011), 3--17.Google ScholarGoogle ScholarCross RefCross Ref
  44. William H. Starbuck and Frances J. Milliken. 1988. Executives’ perceptual filters: What they notice and how they make sense. In The Executive Effect: Concepts and Methods for Studying Top Managers, D. Hambrick (Ed.). JAI Press, 33--65.Google ScholarGoogle Scholar
  45. Rock Stevens, Daniel Votipka, Elissa M. Redmiles, Colin Ahern, Patrick Sweeney, and Michelle L. Mazurek. 2018. The battle for New York: A case study of applied digital threat modeling at the enterprise level. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). 621--637.Google ScholarGoogle Scholar
  46. Detmar W. Straub and Richard J. Welke. 1998. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22, 4 (1998), 441--469.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Lucy Suchman. 2007. Human-Machine Reconfigurations. Cambridge University Press.Google ScholarGoogle Scholar
  48. Ping An Wang and Easwar Nyshadham. 2011. Knowledge of online security risks and consumer decision making: An experimental study. In Proceedings of the 2011 44th Hawaii International Conference on System Sciences (HICSS’11). IEEE, Los Alamitos, CA, 1--10.Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Karl E. Weick. 1993. The collapse of sensemaking in organizations: The Mann Gulch disaster. Administrative Science Quarterly 38 (1993), 628--652.Google ScholarGoogle ScholarCross RefCross Ref
  50. Karl E. Weick. 1995. Sensemaking in Organizations. Vol. 3. Sage.Google ScholarGoogle Scholar
  51. Darius Wiles and Dave Dugal. 2015. Common Vulnerability Scoring System v3.0: Specification Document. Technical Report. FIRST.Google ScholarGoogle Scholar
  52. Yan Xu, Evan Barba, Iulian Radu, Maribeth Gandy, and Blair MacIntyre. 2011. Chores are fun: Understanding social play in board games for digital tabletop game design. In Proceedings of the 2011 DiGRA International Conference.Google ScholarGoogle Scholar

Index Terms

  1. “So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Privacy and Security
          ACM Transactions on Privacy and Security  Volume 24, Issue 1
          February 2021
          191 pages
          ISSN:2471-2566
          EISSN:2471-2574
          DOI:10.1145/3426975
          Issue’s Table of Contents

          Copyright © 2020 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 8 November 2020
          • Revised: 1 August 2020
          • Accepted: 1 August 2020
          • Received: 1 September 2019
          Published in tops Volume 24, Issue 1

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!