Istari

Mis-spending on information security measures: Theory and experimental evidence

Back to Spotlight

 

Research at Oxford University discovered that many companies tend to invest heavily in protective cybersecurity measures, but less so on detection and response capabilities. We wrote in an article: “Every company had made prior investments to protect against cyber attacks but to a lesser extent to plan cyber-responses.” But we didn’t study the underlying reasons for that.

It turns out that there is a cognitive element to that. A recent academic study performed laboratory experiments to find out the reasons for inefficiencies in cybersecurity spending. In those experiments, decision makers had to play economic games that featured typical characteristics of cybersecurity problems. The study found several cognitive biases in investment decisions.

 

Summary:

  • Similar to other domains that involve risk (such as healthcare), investing in prevention has traditionally accounted for the lion’s share of spending, taking as much as 80% of budgets.
  • But cyber attacks are almost impossible to prevent, which makes investment in detection, response, and recovery more important
  • Despite recent movement towards spending more on detection and response, evidence suggest security spending is still biased towards prevention
  • But why is that? To investigate, a group of academics set up laboratory experiments that use economic games

Methodology:

  • Participants were given real money they could keep but had to protect during an experimental task that consisted of three economic games. In the first game, participants could invest in a preventive product, in the second game they could invest in detection and response products, and in the third game they could invest in a mix of the two
  • These three games were matched with a “productivity function”, which serves to measure the effectiveness of a security product

Results:

  • Interestingly, all participants tended to overinvest in security measures, that is, invested more than what would have been optimal
  • Participants also invested in mitigating small, immaterial risks although investment would not have been economically warranted
  • And lastly, participants tended to invest 30%–60% more in prevention relative to detection and response, giving rise to what the authors coin a “prevention bias”. That tendency to overinvest in prevention tended to increase as risk increased

 

Why does this matter for businesses?

  • The study suggests that overinvestment in cybersecurity prevention stems from cognitive biases – systematic pattern of deviation from rationality in judgement
  • Many executives ask themselves whether they are spending the right amount on the right things. This controlled experiment suggests that they probably aren’t – although admittedly, the prescriptive value of the study is limited. 

 

Access the full article here