SlideShare a Scribd company logo

Why Executives Underinvest In Cybersecurity

HackerOne
HackerOne

Learn how to get around misguided thinking that leads to executive under investment in cyber security, and secure the resources you need. You'll learn how to: - Work around CEO and CFO human biases - Motivate decision makers to invest more in cyber infrastructure - Replace your CEO’s mental model with new success metrics - Compare your company’s performance with similar firms to overcome executive overconfidence Watch the full video recording!

Internet
1 of 31
Download to read offline
A Behavioral Science Perspective WHY EXECUTIVES UNDERINVEST IN CYBERSECURITY HackerOne + ideas42 Webinar | October 10, 2017
© 2017 ideas42 2 We use insights from the behavioral sciences to design solutions to some of the world’s most persistent social problems. What is ?
© 2017 ideas42 3 WHAT WE’LL COVER TODAY • Dive into why executives underinvest in cybersecurity • Examine using the lens of behavioral science • Point to steps security executives and professionals can take to motivate decision makers to invest more in cybersecurity
© 2017 ideas42 4 WE DID OUR RESEARCH! 60+ Expert Interviews 120+ Research Articles
© 2017 ideas42 5 A QUICK PRIMER ON BEHAVIORAL SCIENCE odd choice.
© 2017 ideas42 6 © 2015 ideas42 6 4 behavioral reasons why executives underinvest in cybersecurity and what you can do about it
© 2017 ideas42 7 © 2015 ideas42 7 1. Thinking about risk differently
© 2017 ideas42 8 CISO: They aren’t making patches for these legacy servers anymore, so we can’t update the firmware, leaving us open to attack. They should be replaced as soon as possible. PROBLEM: DIFFERENT WAYS OF DESCRIBING AND THINKING ABOUT RISKS CEO: What does that have to do with the price of codfish in China?
© 2017 ideas42 9 PROBLEM: DIFFERENT WAYS OF DESCRIBING AND THINKING ABOUT RISKS CISO: Risks to security infrastructure CEO: Risks to the organization as a whole
© 2017 ideas42 10 SOLUTION: REFRAME RISKS IN VIVID TERMS FOR EXECUTIVES Cyber Problem Legacy servers are unpatched and need to be replaced or else risk an attack Org Problem Legacy servers are where the accounting system lives, and if that goes down we’ll lose all our financial data TRANSLATION
© 2017 ideas42 11 SOLUTION: REFRAME RISKS IN VIVID TERMS FOR EXECUTIVES Cyber Problem Legacy servers are unpatched and need to be replaced or else risk an attack Org Problem Legacy servers are where the accounting system lives, and if that goes down we’ll lose all our financial data TRANSLATION Ok, take my $$$
© 2017 ideas42 12 © 2015 ideas42 12 2. Opposing mental models
© 2017 ideas42 13 PROBLEM: OPPOSING MENTAL MODELS Chaos and complexity Simplified mental model
© 2017 ideas42 14 PROBLEM: OPPOSING MENTAL MODELS Simplified mental model • Supports quick thinking • Organize and integrate new information • Make predictions about the future changes • Influence attention
© 2017 ideas42 15 PROBLEM: OPPOSING MENTAL MODELS How a security expert thinks about cybersecurity How the CEO thinks about cybersecurity
© 2017 ideas42 16 PROBLEM: OPPOSING MENTAL MODELS How a security expert thinks about cybersecurity How the CEO thinks about cybersecurity
© 2017 ideas42 17 SOLUTION: REFRAME METRICS FOR SUCCESS MITIGATION MANAGEMENT Success == No breaches Success == Finding lots of vulnerabilities and fixing them
© 2017 ideas42 18 SOLUTION: REFRAME METRICS FOR SUCCESS MANAGEMENT Success == Finding lots of vulnerabilities and fixing them Focus is no longer on system, but on process In addition to detection, core competencies now also include identification and remediation
© 2017 ideas42 19 © 2015 ideas42 19 3. Overconfidence in current investments
© 2017 ideas42 20 PROBLEM: OVERCONFIDENCE IN INVESTMENTS 0 10 20 30 40 50 60 70 80 90 Is your cybersecurity program better than average? Overconfidence Much? Yes No 46% of surveyed CISOs believed that their company was investing enough, but only 7% believed that their peers were**Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity investment. University of California, Berkeley.
© 2017 ideas42 21 PROBLEM: OVERCONFIDENCE IN INVESTMENTS Context: Standards Context: Bad Feedback Systems
© 2017 ideas42 22 SOLUTION: CLEAR BENCHMARKING 0% 100% Your company’s score The average score in your domain The top 10% in your domain How’s my cybersecurity program? • Baseline against similar firms • Poll other firms about their own practices • Poll peers about how well your own firm is doing relative to others • Integrate others’ best practices
© 2017 ideas42 23 © 2015 ideas42 23 4. Attention is on the wrong things
© 2017 ideas42 24 PROBLEM: ATTENTION IS ON WRONG THINGS Unhelpful Mental Models Availability Bias
© 2017 ideas42 25 Attention PROBLEM: ATTENTION IS ON WRONG THINGS
© 2017 ideas42 26 SOLUTION: BREAK THE SYSTEM Pentesting and bug bounty programs Make key decision makers the victims of internally initiated (and safe) attacks
© 2017 ideas42 27 © 2015 ideas42 27 To summarize…
© 2017 ideas42 28 FOUR KEY TAKEAWAYS FOR INCREASING EXECUTIVE INVESTMENT IN CYBER Vividly connect cyber risks to organizational risks for execs Use process metrics as opposed to outcome metrics to ”fix” executives mental models about cyber programs Survey your peers to help curb overconfidence Break the system (with help)!
© 2017 ideas42 29 TO LEARN MORE! Check out: Deep Thought: A Cybersecurity Story at ideas42.org/cyber Check out: The Behavioral Economics of Why Executives Underinvest in Cybersecurity at HBR.org
© 2017 ideas42 30 THANK YOU! ablau@ideas42.org
Q&A

Recommended

Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
PECB
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Knowledge Group
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
Resilient Systems
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Cyber security
Cyber securityCyber security
Cyber security
Vaibhav Jain
 

Recommended

Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
PECB
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl PereiraCyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Cyber Security Transformation - A New Approach for 2015 & Beyond - Daryl Pereira
Knowledge Group
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
Resilient Systems
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Cyber security
Cyber securityCyber security
Cyber security
Vaibhav Jain
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
PECB
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
PECB
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2
Brad Deflin
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016
Matthew Rosenquist
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
PECB
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
vngundi
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
Murray Security Services
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
Imperva
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
PECB
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
Olivier Busolini
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
Jamie Proctor-Brassard
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and Resources
Stephen Cobb
 

More Related Content

What's hot

What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
PECB
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
PECB
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 

What's hot (20)

Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
 
How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2Total Digital Security Introduction 4.2
Total Digital Security Introduction 4.2
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA RegulationTop 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
Top 2020 Predictions: Cybersecurity Threats, Trends, and the CCPA Regulation
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sector
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 

Viewers also liked

Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
 

Viewers also liked (7)

National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and Resources
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 Challenges
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 

Similar to Why Executives Underinvest In Cybersecurity

Connecting Data and Experience: How Decision Management Works
Connecting Data and Experience: How Decision Management WorksConnecting Data and Experience: How Decision Management Works
Connecting Data and Experience: How Decision Management Works
Inside Analysis
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Puneet Kukreja
 
Doug Palmer - Achieving Authentic Enterprise Digital Transformation
Doug Palmer - Achieving Authentic Enterprise Digital TransformationDoug Palmer - Achieving Authentic Enterprise Digital Transformation
Doug Palmer - Achieving Authentic Enterprise Digital Transformation
Julia Grosman
 
Planning Your Digital Workplace Transformation SharePoint Fest Denver 2017
Planning Your Digital Workplace Transformation SharePoint Fest Denver 2017Planning Your Digital Workplace Transformation SharePoint Fest Denver 2017
Planning Your Digital Workplace Transformation SharePoint Fest Denver 2017
Michelle Caldwell, PSM, SSGB
 

Similar to Why Executives Underinvest In Cybersecurity (20)

WiselyWise for Marketers 2017
WiselyWise for Marketers 2017WiselyWise for Marketers 2017
WiselyWise for Marketers 2017
 
Connecting Data and Experience: How Decision Management Works
Connecting Data and Experience: How Decision Management WorksConnecting Data and Experience: How Decision Management Works
Connecting Data and Experience: How Decision Management Works
 
From concept to adoption - the maze of organizational readiness for Big Data ...
From concept to adoption - the maze of organizational readiness for Big Data ...From concept to adoption - the maze of organizational readiness for Big Data ...
From concept to adoption - the maze of organizational readiness for Big Data ...
 
Are we Agile or Fragile? Agile Africa 2017 - Reflections from the IQbusiness ...
Are we Agile or Fragile? Agile Africa 2017 - Reflections from the IQbusiness ...Are we Agile or Fragile? Agile Africa 2017 - Reflections from the IQbusiness ...
Are we Agile or Fragile? Agile Africa 2017 - Reflections from the IQbusiness ...
 
Combating the IT Monsters That Keep You Up at Night
Combating the IT Monsters That Keep You Up at NightCombating the IT Monsters That Keep You Up at Night
Combating the IT Monsters That Keep You Up at Night
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
 
Bringing clarity to analytics projects with decision modeling: a leading prac...
Bringing clarity to analytics projects with decision modeling: a leading prac...Bringing clarity to analytics projects with decision modeling: a leading prac...
Bringing clarity to analytics projects with decision modeling: a leading prac...
 
Preparing New Leaders for Frontline Management
Preparing New Leaders for Frontline ManagementPreparing New Leaders for Frontline Management
Preparing New Leaders for Frontline Management
 
Millennial Leaders on the Move: Preparing New Leaders for Frontline Management
Millennial Leaders on the Move: Preparing New Leaders for Frontline ManagementMillennial Leaders on the Move: Preparing New Leaders for Frontline Management
Millennial Leaders on the Move: Preparing New Leaders for Frontline Management
 
Analytics - Moneyball for hr June 2017
Analytics - Moneyball for hr June 2017Analytics - Moneyball for hr June 2017
Analytics - Moneyball for hr June 2017
 
Rhipe solutions sps july2016 - the digital transformation -dr
Rhipe solutions sps july2016 - the digital transformation -drRhipe solutions sps july2016 - the digital transformation -dr
Rhipe solutions sps july2016 - the digital transformation -dr
 
SPT200-Planning Your Digital Workplace Transformation-DenverFest-2017.pptx
SPT200-Planning Your Digital Workplace Transformation-DenverFest-2017.pptxSPT200-Planning Your Digital Workplace Transformation-DenverFest-2017.pptx
SPT200-Planning Your Digital Workplace Transformation-DenverFest-2017.pptx
 
Preparing New Leaders for Frontline Management
Preparing New Leaders for Frontline ManagementPreparing New Leaders for Frontline Management
Preparing New Leaders for Frontline Management
 
How to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspectiveHow to get the best out of DevSecOps - an operations perspective
How to get the best out of DevSecOps - an operations perspective
 
Doug Palmer - Achieving Authentic Enterprise Digital Transformation
Doug Palmer - Achieving Authentic Enterprise Digital TransformationDoug Palmer - Achieving Authentic Enterprise Digital Transformation
Doug Palmer - Achieving Authentic Enterprise Digital Transformation
 
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspectiveHow to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
 
Complex Problem Solving and Big Data Analytics
Complex Problem Solving and Big Data AnalyticsComplex Problem Solving and Big Data Analytics
Complex Problem Solving and Big Data Analytics
 
Planning Your Digital Workplace Transformation SharePoint Fest Denver 2017
Planning Your Digital Workplace Transformation SharePoint Fest Denver 2017Planning Your Digital Workplace Transformation SharePoint Fest Denver 2017
Planning Your Digital Workplace Transformation SharePoint Fest Denver 2017
 
Applied tactics for your transformation
Applied tactics for your transformationApplied tactics for your transformation
Applied tactics for your transformation
 
Leading High Impact Virtual Teams
Leading High Impact Virtual TeamsLeading High Impact Virtual Teams
Leading High Impact Virtual Teams
 

More from HackerOne

118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
HackerOne
 
Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security Guide
HackerOne
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
HackerOne
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
HackerOne
 

More from HackerOne (18)

Top 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty ProgramsTop 20 Public Bug Bounty Programs
Top 20 Public Bug Bounty Programs
 
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security Report
 
Federal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security GuideFederal Trade Commission's Start With Security Guide
Federal Trade Commission's Start With Security Guide
 
Understanding Information Security Assessment Types
Understanding Information Security Assessment TypesUnderstanding Information Security Assessment Types
Understanding Information Security Assessment Types
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
9 Top Bug Bounty Programs
9 Top Bug Bounty Programs9 Top Bug Bounty Programs
9 Top Bug Bounty Programs
 
Voices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure PolicyVoices of Vulnerability Disclosure Policy
Voices of Vulnerability Disclosure Policy
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take NowGDPR Guide: The ICO's 12 Recommended Steps To Take Now
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
 
Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 Research
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty Basics
 
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
HackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning WangHackerOne Presents in China - COO Ning Wang
HackerOne Presents in China - COO Ning Wang
 
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered SecurityTapping Hackers for Continuous Security: That's Hacker-Powered Security
Tapping Hackers for Continuous Security: That's Hacker-Powered Security
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programs
 

Recently uploaded

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 

Recently uploaded (20)

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 

Why Executives Underinvest In Cybersecurity

  • 1. A Behavioral Science Perspective WHY EXECUTIVES UNDERINVEST IN CYBERSECURITY HackerOne + ideas42 Webinar | October 10, 2017
  • 2. © 2017 ideas42 2 We use insights from the behavioral sciences to design solutions to some of the world’s most persistent social problems. What is ?
  • 3. © 2017 ideas42 3 WHAT WE’LL COVER TODAY • Dive into why executives underinvest in cybersecurity • Examine using the lens of behavioral science • Point to steps security executives and professionals can take to motivate decision makers to invest more in cybersecurity
  • 4. © 2017 ideas42 4 WE DID OUR RESEARCH! 60+ Expert Interviews 120+ Research Articles
  • 5. © 2017 ideas42 5 A QUICK PRIMER ON BEHAVIORAL SCIENCE odd choice.
  • 6. © 2017 ideas42 6 © 2015 ideas42 6 4 behavioral reasons why executives underinvest in cybersecurity and what you can do about it
  • 7. © 2017 ideas42 7 © 2015 ideas42 7 1. Thinking about risk differently
  • 8. © 2017 ideas42 8 CISO: They aren’t making patches for these legacy servers anymore, so we can’t update the firmware, leaving us open to attack. They should be replaced as soon as possible. PROBLEM: DIFFERENT WAYS OF DESCRIBING AND THINKING ABOUT RISKS CEO: What does that have to do with the price of codfish in China?
  • 9. © 2017 ideas42 9 PROBLEM: DIFFERENT WAYS OF DESCRIBING AND THINKING ABOUT RISKS CISO: Risks to security infrastructure CEO: Risks to the organization as a whole
  • 10. © 2017 ideas42 10 SOLUTION: REFRAME RISKS IN VIVID TERMS FOR EXECUTIVES Cyber Problem Legacy servers are unpatched and need to be replaced or else risk an attack Org Problem Legacy servers are where the accounting system lives, and if that goes down we’ll lose all our financial data TRANSLATION
  • 11. © 2017 ideas42 11 SOLUTION: REFRAME RISKS IN VIVID TERMS FOR EXECUTIVES Cyber Problem Legacy servers are unpatched and need to be replaced or else risk an attack Org Problem Legacy servers are where the accounting system lives, and if that goes down we’ll lose all our financial data TRANSLATION Ok, take my $$$
  • 12. © 2017 ideas42 12 © 2015 ideas42 12 2. Opposing mental models
  • 13. © 2017 ideas42 13 PROBLEM: OPPOSING MENTAL MODELS Chaos and complexity Simplified mental model
  • 14. © 2017 ideas42 14 PROBLEM: OPPOSING MENTAL MODELS Simplified mental model • Supports quick thinking • Organize and integrate new information • Make predictions about the future changes • Influence attention
  • 15. © 2017 ideas42 15 PROBLEM: OPPOSING MENTAL MODELS How a security expert thinks about cybersecurity How the CEO thinks about cybersecurity
  • 16. © 2017 ideas42 16 PROBLEM: OPPOSING MENTAL MODELS How a security expert thinks about cybersecurity How the CEO thinks about cybersecurity
  • 17. © 2017 ideas42 17 SOLUTION: REFRAME METRICS FOR SUCCESS MITIGATION MANAGEMENT Success == No breaches Success == Finding lots of vulnerabilities and fixing them
  • 18. © 2017 ideas42 18 SOLUTION: REFRAME METRICS FOR SUCCESS MANAGEMENT Success == Finding lots of vulnerabilities and fixing them Focus is no longer on system, but on process In addition to detection, core competencies now also include identification and remediation
  • 19. © 2017 ideas42 19 © 2015 ideas42 19 3. Overconfidence in current investments
  • 20. © 2017 ideas42 20 PROBLEM: OVERCONFIDENCE IN INVESTMENTS 0 10 20 30 40 50 60 70 80 90 Is your cybersecurity program better than average? Overconfidence Much? Yes No 46% of surveyed CISOs believed that their company was investing enough, but only 7% believed that their peers were**Moore, T., Dynes, S., & Chang, F. R. (2016). Identifying how firms manage cybersecurity investment. University of California, Berkeley.
  • 21. © 2017 ideas42 21 PROBLEM: OVERCONFIDENCE IN INVESTMENTS Context: Standards Context: Bad Feedback Systems
  • 22. © 2017 ideas42 22 SOLUTION: CLEAR BENCHMARKING 0% 100% Your company’s score The average score in your domain The top 10% in your domain How’s my cybersecurity program? • Baseline against similar firms • Poll other firms about their own practices • Poll peers about how well your own firm is doing relative to others • Integrate others’ best practices
  • 23. © 2017 ideas42 23 © 2015 ideas42 23 4. Attention is on the wrong things
  • 24. © 2017 ideas42 24 PROBLEM: ATTENTION IS ON WRONG THINGS Unhelpful Mental Models Availability Bias
  • 25. © 2017 ideas42 25 Attention PROBLEM: ATTENTION IS ON WRONG THINGS
  • 26. © 2017 ideas42 26 SOLUTION: BREAK THE SYSTEM Pentesting and bug bounty programs Make key decision makers the victims of internally initiated (and safe) attacks
  • 27. © 2017 ideas42 27 © 2015 ideas42 27 To summarize…
  • 28. © 2017 ideas42 28 FOUR KEY TAKEAWAYS FOR INCREASING EXECUTIVE INVESTMENT IN CYBER Vividly connect cyber risks to organizational risks for execs Use process metrics as opposed to outcome metrics to ”fix” executives mental models about cyber programs Survey your peers to help curb overconfidence Break the system (with help)!
  • 29. © 2017 ideas42 29 TO LEARN MORE! Check out: Deep Thought: A Cybersecurity Story at ideas42.org/cyber Check out: The Behavioral Economics of Why Executives Underinvest in Cybersecurity at HBR.org
  • 30. © 2017 ideas42 30 THANK YOU! ablau@ideas42.org
  • 31. Q&A