Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment

We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1479 simulation runs, we compared the performance...

Full description

Bibliographic Details
Main Authors: Jalali, Seyed Mohammad Javad, Siegel, Michael D, Madnick, Stuart E
Other Authors: Sloan School of Management
Format: Article
Published: Elsevier 2019
Online Access:http://hdl.handle.net/1721.1/120555
https://orcid.org/0000-0001-6769-2732
https://orcid.org/0000-0001-9240-2573
Description
Summary:We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity. Keywords: Cybersecurity; Decision-making; Simulation; Capability development