Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

•Increasing cyber risks demand proactive decisions for cybersecurity development.•Significant delays exist in building capabilities for mitigating cyber incidents.•Management experience alone does not compensate for uncertainties of events.•Training is vital to learning about complexities and making...

Full description

Saved in:
Bibliographic Details
Published in:The journal of strategic information systems Vol. 28; no. 1; pp. 66 - 82
Main Authors: Jalali, Mohammad S., Siegel, Michael, Madnick, Stuart
Format: Journal Article
Language:English
Published: Kidlington Elsevier B.V 01-03-2019
Elsevier Science SA
Subjects:
Capability development
Cybersecurity
Decision making
Iterative methods
Simulation
Studies
Uncertainty
Decision-making
Capability development
Cybersecurity
Simulation
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:•Increasing cyber risks demand proactive decisions for cybersecurity development.•Significant delays exist in building capabilities for mitigating cyber incidents.•Management experience alone does not compensate for uncertainties of events.•Training is vital to learning about complexities and making proactive decisions.•Management flight simulators prove to be effective training tools. We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity.
ISSN:0963-8687
1873-1198
DOI:10.1016/j.jsis.2018.09.003