“So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making

AbstractCyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation’s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision makers’ risk thinking—their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing dataset derived from a tabletop cyber-physical systems security game. Our analysis identifies four structural patterns of risk thinking and two reasoning strategies: risk-first and opportunity-first. Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53 and ISO 27001) are followed neither substantially nor exclusively when it comes to decision making. Instead, our analysis finds that decision making is affected by the plasticity of teams—that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.