Skip to main content
Article

Part 1: Management attention and cyber risk posture

Cyber Risk Management
N/A

February 19, 2021

We explore management attention’s role in defining cyber risk posture and whether it is a predictor for future cyber events.

Cyberattacks, ransomware and other malicious cyber events continue to proliferate the corporate landscape. Hacking reached new depths in 2020 with the recent malware infiltration through SolarWinds Orion network security software distribution.1 Organizations are faced with the daunting task of navigating the intricacy of espousing complex systems, cloud computing and enterprise cybersecurity strategies. This mission is attributed to Chief Information Security Officers (CISOs) and security teams while simultaneously seeking support from management counterparts, increasingly conflicted with competing priorities carrying more easily justifiable bottom-line benefits. Cybersecurity is seen as a necessary evil rather than as a conduit to success. While the evolution of cyber risk quantification (to substantiate cybersecurity investments) is still in its infancy, the human factor of cyber security - employees, management attention and culture has become a cyberthreat in and of itself. This concern is made even more real, as our global attack surface continues to expand exponentially.

Even the best laid enterprise security plans must work in conjunction with people and the organizational culture. Technical precautions will only secure an organization so far if employees are not trained in defined security policies and procedures. Similarly, where managers’ attention is focused on other performance goals, focus on cybersecurity may wane. In an environment where management feels the launch of a new business or the completion of an impending merger is critical to the attainment of financial goals for investor and street interpretation, there could be less of a focus on cybersecurity, while verbally communicated as important by management, lacks the action demonstrated for those other initiatives. Managers often aim for what they deem a satisfactory or adequate solution. Instead of exerting maximum effort toward choosing and implementing an optimal solution, they will likely focus on implementing a solution that may address symptoms rather than the root cause. These actions represent evidence of satisfying at its best. What is new is the limited awareness of the potential impact of management attention on cybersecurity.

With this in mind, we explore management attention’s role in defining an organization’s cyber risk posture and whether the level of that attention serves as a predictor for an impending cyber event. We seek to answer the following questions: Will increased management attention contribute to the reduction in an organization’s cyber risk exposure? Does management’s attention to cyber risk represent a predictor of whether a cyberattack is imminent? Can an organization assess its attention to cyber risk and its true cyber exposure? If management attention correlates to the occurrence of cyber events, what can be done to address the situation?

Management attention to cyber risk exposure

Herbert Simon in his research on management decision-making2, pointed out that when there is a vast availability of information, attention becomes the scarcer resource, because human beings are incapable of digesting all the information. Attention is limited by the processing power of the brain. The brain can barely comprehend two people speaking at one time, let alone managing decisioning between 1000 different investments.3 Limitations in ability to manage attention are visible in our everyday life – driving reflexes are impaired when we simultaneously text. Attention is also limited by the resources available to the neurons in the brain. While those neurons enable humans to maintain focus, all processed information contributes to mental fatigue and taking in too much information can impact decision-making. In applying this concept to cybersecurity, it is important to understand that ensuring that cybersecurity is part of a management agenda does not guarantee that it will receive the same level of attention as another agenda item - say a merger, an acquisition or the development of a new business. This phenomenon is even further amplified when the person receiving the information does not fundamentally understand the subject area or the subject’s connection with the area they oversee.

Management attention represents the logic of acting on the right initiatives for the right reasons at the right time for an organization. It represents dedicated and concentrated focus on a specified subject. The need to measure cyber risk exposure and implement optimal mitigating cybersecurity practices must become essential in the minds of the management team making underlying resource decisions.

A recent article suggests that there are four main reasons why management attention is lacking in cybersecurity4: 1) lack of clear communication channels – creating a group of internal stakeholders becomes challenging as businesses scale their operations; 2) inability to effectively communicate risk – the C-suite focuses on business objectives such as revenue, product delivery, and customer service. The IT and security teams focus on mitigating the cybersecurity risks that come with the IT tools enabling business objectives; 3) existing visibility gaps into third-party risk – even when IT and security staff manage to break down silos and effectively tie cyber risk to business objectives, many lack the tools necessary to provide visibility into the risks inherent across the company’s IT ecosystem; and 4) inability to connect IT security costs to the revenue stream – C-suite members may lack information positively connecting IT security costs to increased revenue. For many organizations, while the C-suite has the sole mission of increasing revenue, budgetary constraints often leave cybersecurity teams lacking the tools necessary to effectively do their jobs, such as protecting data. Although management perception of cyber exposure is real, likely because of the rampant business interruption ransomware attacks that have taken place over the last 12 months, mitigating actions to address vulnerabilities are being adopted more slowly than attacks are occurring. As per Yampolskiy, “the real issue underlying what superficially appears to be C-suite lack of attention is often the inability to engage in effective and meaningful communication about cybersecurity risk and threat mitigation strategies.”

Cyert and March’s behavioral management theory5 suggested that managers’ biases impact their decisions, including Simon’s satisficing phenomenon.6 Subsequently, Argote and Greve7 developed the notion of the “black box” of the internal workings of organizations. These internal workings include the concept of decisions in organizations made by collections of individuals with different interests, experiences, and identities. Such differences lead to compromises that are negotiated by groups rather than the optimization of profits or sales. They noted the need for evidentiary information to make the most prudent decisions but recognized that the acquisition of that information comes at a price. These factors influence all types of investment decisions, including investments related to implementation of mitigating cybersecurity controls.

Managers are keenly aware that decisions on any resource investment require well thought out reasoning, support, and management backing to be approved. Mitigating cybersecurity control investments need similar support to be approved and successfully implemented. In an environment where there are more investment opportunities than dollars available for investment, investments that lack clear quantifiable returns are extremely rare. Investments related to mitigating cybersecurity controls rarely show return on investment, but rather, can be shown to provide quantifiable return on control.8 Having strong decision support tools to support that quantification is key to approval of such investments.

Now that we better understand what management attention is, we can investigate these ideas further in Part 2 of this series: Management Attention’s Impact on Cyber Risk Posture and Practical Implications. We look at management attention and its relationship to cyber events, discuss historical cyber risk assessments, initiate our discussion about the benefits of cyber risk quantification, and discuss actionable recommendations to improve the cyber risk posture of the organization.

Footnotes

1 Krebs, B. 2021. SolarWinds: What hit us could hit others, Krebs on Security, https://krebsonsecurity.com/2021/01/solarwinds-what-hit-us-could-hit-others/ ed., vol. 2021: Describes how the SolarWinds hack was accomplished. KrebsonSecurity.com: KrebsonSecurity.com.

2 Simon, H. A. 1982. Models of bounded rationality. MIT Press. https://books.google.com/books?hl=en&lr=&id=9CiwU28z6WQC&oi=fnd&pg=PA1&dq=models
+of+bounded+rationality&ots=GLRL9ohCcd&sig=WyRIJCqsEF6QxZXEcG9q2X_Krk0#v=
onepage&q=models%20of%20bounded%20rationality&f=false

3 Kahneman, D. 2003. Maps of Bounded Rationality: Psychology for Behavioral Economics. The American Economic Review, 93(5): 27. https://www.aeaweb.org/articles?id=10.1257/000282803322655392

4 Yampolskiy, A. 2020. 4 Reasons why the C-Suite isn't paying attention to cybersecurity, vol. 2020. https://securityscorecard.com/blog/reasons-the-c-suite-isnt-paying-attention-to-cybersecurity

5 Cyert, R. M. & March, J. G. 1963. A behavioral theory of the firm. Englewood Cliffs, N.J U6 - institution=01DRXU_INST&vid=01DRXU_INST%3AServices&%3Fctx_ver=Z39.88-2004&ctx_
enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_
val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=book&rft.title=A+behavioral+
theory+of+the+firm&rft.au=Cyert%2C+Richard+Michael&rft.au=March%2C+James+G&rft.
series=Prentice-Hall+behavioral+sciences+in+business+series.&rft.date=1963-01-01&rft.pub
=Prentice-Hall&rft.externalDBID=01DRXU_INST_CAT&rft.externalDocID=2196339990004721
&paramdict=en-US U7 - Book: Prentice-Hall.

6 Simon, H. A. 1947. Theories of Bounded Rationality. Decision and Organization, Chapter 8: 161-176. http://innovbfa.viabloga.com/files/Herbert_Simon___theories_of_bounded_rationality
___1972.pdf

7 Argote, L. & Greve, H. R. 1963. A Behavioral Theory of the Firm: 40 Years and Counting - Introduction and Impact. Organization Science, 18(3): 337-349.

8 Hubbard, D. W. & Seiersen, R. 2016. How to measure anything in cybersecurity risk (1 ed.). Hoboken, New Jersey: Wiley. https://onlinelibrary.wiley.com/doi/book/10.1002/9781119162315

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed subsidiaries of Willis North America Inc., including Willis Towers Watson Northeast Inc. (in the United States) and Willis Canada, Inc.

Contact

Product Director, Cyber Analytics

Related content tags, list of links Article Cyber Risk Management United States
Contact Us