Behavioral Economics and Risk Management in Cybersecurity.

Updated: Jan 11, 2021

In 1979, Daniel Kahneman and Amos Tversky won the Noble Prize for their work studying how people make decisions that involve risk and uncertainty. What they discovered was that when people were presented with a potentially large gain, they were more likely to avoid taking large risks. But when people were presented with a potentially large loss, they were more inclined to take the risk.

Here's what they did.

In a human behavior experiment, Kahneman and Amos had subjects in a room divided into two groups.

Group A.  They asked the first group of subjects to choose between two alternatives.

  1. 100% chance of winning $500

  2. 50% chance of winning $1000

Group B.   They asked the second group of subjects to choose between two alternatives;

  1.  100% chance of losing $500

  2. 50% chance of losing $1000

The results are interesting.

When faced with a win, about 85% of respondents chose the guaranteed smaller gain (100% chance winning $500) over the risky larger gain (50% chance of winning $1000).

When faced with a loss, about 70% chose the risky larger loss (50% chance of losing $1000) over the guaranteed smaller loss (100% chance of losing $500).

Here's what that looks like plotted on a graph.

So what does this have to do with information security?

Classical economics makes the assumption that business leaders are making perfectly rational decisions. Behavioral economics flips that and shows that we live in a world full of uncertainty where people don't always make rational decisions. Prospect Theory heavily influenced the development of FAIR (Factor Analysis of Information Risk) as part of risk management strategy.

To contextualize the findings of Kahneman and Amos, we have to first understand that many business leaders view cybersecurity as a cost center to the organization. It's a flawed perspective that still rings true even with some larger organizations with more mature security postures.

To a business leader, investing in cybersecurity is a choice between a small guaranteed loss — the cost of buying information security products and services — and a large risky loss: for example, experiencing a high impact security incident such as ransomware or a data breach.

What the Prospect Theory tells us is that business leaders are more likely to accept greater cybersecurity risks when the exposure to dangerous threats and significant losses exist. 

So what should you do?

At the highest level, it's important to change the company culture so that cybersecurity is viewed as cost avoidance. By shaping opinion at the top about the risk exposure, threats and likelihood of impact, a security champion will get the support they need from the business team to further protect the organization from a high impact security incident.


Thank you for reading this article and feel free to contact our sales team if you need assistance building or advancing your security program. For a limited time, American Cyber is offering up to 250 hours of free Remote CISO security consulting services with an annual subscription of 500 devices or more of our Advanced service package.

#riskmanagement #cybersecurity #economics #behavioraleconomics #cisos