Board Conversations: Is boardroom cyber risk decision-making hostage to groupthink and cognitive bias?

posted in: Board Conversations | 0

By Denson Todd, Director of Cyber Risk Services, SSIC

Have you ever made up your mind before you actually thought about the decision or heard the question?  Of course. We all have.  Every day we make decisions with little to no information, using past experiences and even preconceived biases we hold from those experiences. These are all common and, frankly, needed human behaviors.  To make quick daily decisions with limited information, we have to rely on past decisions and experiences.  If we do it as individuals, we have to expect that the individuals who make up the boardroom are no different.

I recently read a very interesting article on behavioral economics and the banking situation of the last decade. The concepts expressed here relate very well to cyber risk.  One particular section of the article caught my attention:

“One could say that the financial crisis of 2008-2009 was in large measure a function of poor strategic decisions collectively by consumers, investors and financial institution management. Ultimately, the risky products distributed across an increasingly interconnected financial system were borne out of executive committee and boardroom discussions in the years leading up to the crisis. Unfortunately, many of those discussions were hijacked by a collection of management cognitive biases that greatly amplified risk-taking,” (Global Association of Risk Professionals).

This raises the question: how will executive committee and boardroom decisions made today on business risk and cybersecurity affect the future of business?  Are boards setting their businesses up to succeed in today’s interconnected world?  Or are current decisions and cognitive biases proceeding a future cyber risk crisis similar to the previous banking crisis?

Below are a few of the similarities I can easily draw between behavioral economics and cyber risk:

  • Security process biases
  • Security product biases
  • Groupthink about security that affects decision-making
  • Use of data to support existing, preconceived decisions
  • Information gaps lead leaders to fall back on gut feelings
  • Lack of empirical data to support complex decision-making and problem solving
  • Strategic decisions made in an environment of limited information

I suggest undertaking an exercise as both individuals and business leaders.  Compare and trend both subjective security data (from something like self-assessments) and objective data points (such as monitoring devices or third-party risk assessments) related to risk and cybersecurity at the executive level.  This should begin to point out areas where executive management may have cognitive biases in their understanding of cybersecurity and their business risk.  The idea is to highlight discrepancies between subjective and objective understanding, which may align with areas where there is an expression of false groupthink within leadership that empirical data doesn’t support.

I know, not a simple or easy undertaking.  You may have already made the decision not to make this effort based on a snap decision made right after reading the title.  It’s never easy to change your way of thinking, and even harder when that thinking comes from a collective group of business leaders. However, the value of understanding the biases that impact your decision-making and why those biases exist could help you avoid a future cyber crisis.