Making sense of the unknown: How managers make cyber security decisions
01 Aug 2022
Managers rarely have deep knowledge of cyber security, and yet are expected to make decisions with cyber security implications for software-based systems. We investigate the decision-making conversations of 7 teams of senior managers from the same organisation, as they complete the Decisions&Disruptions (D-D) cyber security exercise. We use Grounded Theory to situate our analysis of their decision-making and help us explore how these complex socio-cognitive interactions occur. We have developed a goal-model (using iStar 2.0) of the teams’ dialogue which illustrates what cyber security goals teams identify and how they operationalise their decisions to reach these goals. We complement this with our model of cyber security reasoning which describes how these teams make their decisions, showing how each team member’s experience, intuition and understanding affect the team’s overall shared reasoning and decision-making.
Our findings show how managers with little cyber security expertise are able to use logic and traditional risk management thinking to make cyber security decisions. Despite their lack of cyber security-specific training they demonstrate reasoning which closely resembles the decision-making approaches espoused in cyber security-specific standards (e.g., NIST/ISO). Our work demonstrates how organisations and practitioners can enrich goal modelling to capture not only what security goals an organisation has (and how they can operationalise them) but also how and why these goals have been identified. Ultimately, non-cyber security experts can develop their cyber security model based on their current context (and update it when new requirements appear or new incidents happen), whilst capturing their reasoning at every stage.
ACM Transactions on Software Engineering and Methodology