Research at Oxford University discovered that many companies tend to invest heavily in protective cybersecurity measures but less so in detection and response capabilities. We wrote in an article: “Every company had made prior investments to protect against cyber attacks but to a lesser extent to plan cyber-responses.” But we didn’t study the underlying reasons for that. 

It turns out that there is a cognitive element to that. A recent academic study performed laboratory experiments to find out the reasons for inefficiencies in cybersecurity spending. In those experiments, decision-makers had to play economic games that featured typical characteristics of cybersecurity problems. The study found several cognitive biases in investment decisions.

Summary:

  • Similar to other domains that involve risk (such as healthcare), investing in prevention has traditionally accounted for the lion’s share of spending, taking as much as 80% of budgets.
  • But cyber attacks are almost impossible to prevent, which makes investment in detection, response, and recovery more important
  • Despite recent movement towards spending more on detection and response, evidence suggests security spending is still biased towards prevention
  • But why is that? To investigate, a group of academics set up laboratory experiments that use economic games

Methodology:

  • Participants were given real money they could keep but had to protect during an experimental task that consisted of three economic games. In the first game, participants could invest in a preventive product; in the second game, they could invest in detection and response products; and in the third game they could invest in a mix of the two.
  • These three games were matched with a “productivity function”, which serves to measure the effectiveness of a security product

Results:

  • Interestingly, all participants tended to overinvest in security measures, that is, invested more than what would have been optimal
  • Participants also invested in mitigating small, immaterial risks, although investment would not have been economically warranted.
  • Lastly, participants tended to invest 30%–60% more in prevention relative to detection and response, giving rise to what the authors coin a “prevention bias”. That tendency to overinvest in prevention tended to increase as risk increased.

 

Why does this matter for businesses?

  • The study suggests that overinvestment in cybersecurity prevention stems from cognitive biases – the systematic pattern of deviation from rationality in judgement.
  • Many executives ask themselves whether they are spending the right amount on the right things. This controlled experiment suggests that they probably aren’t – although, admittedly, the prescriptive value of the study is limited.

 

Read the full article