Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Why Executives Underinvest In Cybersecurity

853 vues

Publié le

Learn how to get around misguided thinking that leads to executive under investment in cyber security, and secure the resources you need. You'll learn how to:
- Work around CEO and CFO human biases
- Motivate decision makers to invest more in cyber infrastructure
- Replace your CEO’s mental model with new success metrics
- Compare your company’s performance with similar firms to overcome executive overconfidence

Watch the full video recording!

Publié dans : Internet
  • Soyez le premier à commenter

Why Executives Underinvest In Cybersecurity

  1. 1. A Behavioral Science Perspective WHY EXECUTIVES UNDERINVEST IN CYBERSECURITY HackerOne + ideas42 Webinar | October 10, 2017
  2. 2. © 2017 ideas42 2 We use insights from the behavioral sciences to design solutions to some of the world’s most persistent social problems. What is ?
  3. 3. © 2017 ideas42 3 WHAT WE’LL COVER TODAY • Dive into why executives underinvest in cybersecurity • Examine using the lens of behavioral science • Point to steps security executives and professionals can take to motivate decision makers to invest more in cybersecurity
  4. 4. © 2017 ideas42 4 WE DID OUR RESEARCH! 60+ Expert Interviews 120+ Research Articles
  5. 5. © 2017 ideas42 5 A QUICK PRIMER ON BEHAVIORAL SCIENCE odd choice.
  6. 6. © 2017 ideas42 6 © 2015 ideas42 6 4 behavioral reasons why executives underinvest in cybersecurity and what you can do about it
  7. 7. © 2017 ideas42 7 © 2015 ideas42 7 1. Thinking about risk differently
  8. 8. © 2017 ideas42 8 CISO: They aren’t making patches for these legacy servers anymore, so we can’t update the firmware, leaving us open to attack. They should be replaced as soon as possible. PROBLEM: DIFFERENT WAYS OF DESCRIBING AND THINKING ABOUT RISKS CEO: What does that have to do with the price of codfish in China?
  9. 9. © 2017 ideas42 9 PROBLEM: DIFFERENT WAYS OF DESCRIBING AND THINKING ABOUT RISKS CISO: Risks to security infrastructure CEO: Risks to the organization as a whole
  10. 10. © 2017 ideas42 10 SOLUTION: REFRAME RISKS IN VIVID TERMS FOR EXECUTIVES Cyber Problem Legacy servers are unpatched and need to be replaced or else risk an attack Org Problem Legacy servers are where the accounting system lives, and if that goes down we’ll lose all our financial data TRANSLATION
  11. 11. © 2017 ideas42 11 SOLUTION: REFRAME RISKS IN VIVID TERMS FOR EXECUTIVES Cyber Problem Legacy servers are unpatched and need to be replaced or else risk an attack Org Problem Legacy servers are where the accounting system lives, and if that goes down we’ll lose all our financial data TRANSLATION Ok, take my $$$
  12. 12. © 2017 ideas42 12 © 2015 ideas42 12 2. Opposing mental models
  13. 13. © 2017 ideas42 13 PROBLEM: OPPOSING MENTAL MODELS Chaos and complexity Simplified mental model
  14. 14. © 2017 ideas42 14 PROBLEM: OPPOSING MENTAL MODELS Simplified mental model • Supports quick thinking • Organize and integrate new information • Make predictions about the future changes • Influence attention
  15. 15. © 2017 ideas42 15 PROBLEM: OPPOSING MENTAL MODELS How a security expert thinks about cybersecurity How the CEO thinks about cybersecurity
  16. 16. © 2017 ideas42 16 PROBLEM: OPPOSING MENTAL MODELS How a security expert thinks about cybersecurity How the CEO thinks about cybersecurity
  17. 17. © 2017 ideas42 17 SOLUTION: REFRAME METRICS FOR SUCCESS MITIGATION MANAGEMENT Success == No breaches Success == Finding lots of vulnerabilities and fixing them
  18. 18. © 2017 ideas42 18 SOLUTION: REFRAME METRICS FOR SUCCESS MANAGEMENT Success == Finding lots of vulnerabilities and fixing them Focus is no longer on system, but on process In addition to detection, core competencies now also include identification and remediation
  19. 19. © 2017 ideas42 19 © 2015 ideas42 19 3. Overconfidence in current investments
  20. 20. © 2017 ideas42 20 PROBLEM: OVERCONFIDENCE IN INVESTMENTS 0 10 20 30 40 50 60 70 80 90 Is your cybersecurity program better than average? Overconfidence Much? Yes No 46% of surveyed CISOs believed that their company was investing enough, but only 7% believed that their peers were**Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity investment. University of California, Berkeley.
  21. 21. © 2017 ideas42 21 PROBLEM: OVERCONFIDENCE IN INVESTMENTS Context: Standards Context: Bad Feedback Systems
  22. 22. © 2017 ideas42 22 SOLUTION: CLEAR BENCHMARKING 0% 100% Your company’s score The average score in your domain The top 10% in your domain How’s my cybersecurity program? • Baseline against similar firms • Poll other firms about their own practices • Poll peers about how well your own firm is doing relative to others • Integrate others’ best practices
  23. 23. © 2017 ideas42 23 © 2015 ideas42 23 4. Attention is on the wrong things
  24. 24. © 2017 ideas42 24 PROBLEM: ATTENTION IS ON WRONG THINGS Unhelpful Mental Models Availability Bias
  25. 25. © 2017 ideas42 25 Attention PROBLEM: ATTENTION IS ON WRONG THINGS
  26. 26. © 2017 ideas42 26 SOLUTION: BREAK THE SYSTEM Pentesting and bug bounty programs Make key decision makers the victims of internally initiated (and safe) attacks
  27. 27. © 2017 ideas42 27 © 2015 ideas42 27 To summarize…
  28. 28. © 2017 ideas42 28 FOUR KEY TAKEAWAYS FOR INCREASING EXECUTIVE INVESTMENT IN CYBER Vividly connect cyber risks to organizational risks for execs Use process metrics as opposed to outcome metrics to ”fix” executives mental models about cyber programs Survey your peers to help curb overconfidence Break the system (with help)!
  29. 29. © 2017 ideas42 29 TO LEARN MORE! Check out: Deep Thought: A Cybersecurity Story at ideas42.org/cyber Check out: The Behavioral Economics of Why Executives Underinvest in Cybersecurity at HBR.org
  30. 30. © 2017 ideas42 30 THANK YOU! ablau@ideas42.org
  31. 31. Q&A

×