Determining the ROI for any cybersecurity investment, from staff training to AI-enabled authentication managers, can best be described as an enigma shrouded in mystery. The digital threat landscape changes constantly, and it’s very difficult to know the probability of any given attack succeeding — or how big the potential losses might be. Even the known costs, such as penalties for data breaches in highly regulated industries like health care, are a small piece of the ROI calculation. In the absence of good data, decision makers must use something less than perfect to weigh the options: their judgment.
The Behavioral Economics of Why Executives Underinvest in Cybersecurity
Human judgment is often biased in predictably problematic ways. In the case of cybersecurity, some decision-makers use the wrong mental models to help them determine how much investment is necessary. These mental models treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. Our research points to steps that security executives and other cybersecurity professionals can take to work around CEOs’ human biases and motivate decision makers to invest more in cyber infrastructure. Appeal to the emotions of financial decision makers. Replace your CEO’s mental model with new success metrics. Survey your peers to help curb overconfidence. By turning the lens of behavioral science onto cybersecurity challenges, CISOs can identify new ways to approach old problems, and maybe improve their budgets at the same time.