A Framework to Support Organisational Leaders in Making more Informed Cybersecurity Decisions

Project summary

Despite an increase in cybersecurity breaches around the world, most decisions made in this field by organisations are based on sub-optimal, misaligned information coming from different sources. In this project, we aim at putting some order to this ‘chaos’ by: 1) unveiling the dynamics of decision-making in cybersecurity (what data/information are utilised, how they are collected and analysed, etc.); 2) proposing an innovative framework for informed cybersecurity decision-making; and 3) testing our framework with end-users. To do this, we will engage with organisational leaders that have influence on their companies’ cybersecurity decisions. These will include CIOs, CISOs, CEOs, CFOs, etc.

Project description

How do businesses make decisions regarding core cybersecurity issues? How should they do so? What information is needed to make good decisions? It is believed that decision-makers in businesses often make uninformed decisions regarding cybersecurity investments, misunderstand the role of insurance, and over- or underestimate the risks of a cybersecurity incident arising and how well prepared their business are to respond to that incident. Practitioners and researchers have been emphasising the need to better understand the business implications of decision-making in cybersecurity. However, the rising importance of information security ‘from the basement to the boardroom’ (Schinagl & Shahim, 2020) has not brought appropriate and easy to use decision support tools and techniques for board members and other organisational leaders with varying cybersecurity knowledge (Abu-Musa, 2010; Mishra, 2015). As a result, no agreed upon mechanism exists that allows decision-makers in organisations to take informed decisions on core cybersecurity issues: what security controls should be in place, what is the optimal level of cybersecurity investments, whether cyber-insurance is required, what are the top cybersecurity risks that need to be mitigated, etc. Further, it is not well-understood the influence that cyber-insurance has on decisions regarding the level of investment to prevent incidents arising. For example, if a business is well insured, does the business then deliberately or subconsciously under-invest in practical cyber-security defences? Does the business know that it may be doing so?

In this project, we aim at achieving three goals, in the following three phases:

1) building the empirical knowledge base to understand how modern private and public sector organisations make cybersecurity decisions: what data/information do they use; what key organisational leaders are involved; what limitations do they see in their practices, etc.

2) designing a customisable framework to guide organisational cybersecurity decision-making based on the findings from phase 1);

3) testing the framework designed in phase 2 with end-users.

To achieve our goals, we will adopt the following research and engagement methods:

1) Building the empirical knowledge base:

- A survey aimed at casting light on the dynamics associated with cybersecurity decision-making (n=250);

- Semi-structured interviews with cybersecurity leaders; other executives; and board members (n=~7 per organisation; a total of 6 organisations)

- Document analysis (a total of 6 organisations)

2) Designing a customisable framework:

- Two design-led workshops involving the research team and other invited subject matter experts (duration max. 2.5 hours per workshop)

3) Testing with end-users:

- Email and other communication means (e.g., Zoom meetings, etc.) to gain feedback on the customisable framework from participants in phase 1 (at least 10 tests).

This project presents an innovative set of methods, where quantitative approaches (e.g., the initial survey) will be coupled with qualitative ones (e.g., semi-structured interviews) for deeper investigation. In line with 'research that produces an impact,' this project will adopt a Design Science approach (Gregor & Hevner, 2013) to produce a framework for enhanced cybersecurity decision-making, co-designed based on end-users' input.