In business, people discuss serious topics like the bottom line and strategic planning, therefore it is assumed everyone is driven purely by data and making rational choices based on evidence. In a business setting, people are considered rational actors, operating with self-control, always making optimal decisions. 3 Ways Security Is Impacted by Behavioral Economics There is a human element behind people's decisions, yet in business, emotions are often ignored in favor of big data. Security is an area significantly impacted by behavioral economics. Since cybersecurity is a high-pressure field filled with ongoing incident management, behavioral economics theories can hamper security programs and throw risk-management road maps off course if security professionals aren't careful. Mental Accounting Mental accounting is a vein of behavioral economics that argues individuals think about money differently depending on circumstances. Mental accounting impacts cybersecurity because it can be onerous to obtain budget for risks that haven't materialized. Mental accounting might lead finance and other leaders to ask: "Why pay for something that might happen?" Cybersecurity leaders know planning is critical to protecting the business, and not purchasing appropriate tools will cause pain if a breach or security incident happens. As IBM reports, the average cost of a breach is $4.45 million security leaders must frame their budgetary needs effectively to protect the business and to ensure they obtain adequate funds for breach response. Sunk Cost Fallacies The sunk cost fallacy can occur when cybersecurity professionals become too attached to their security road map rather than letting it be dynamic. When you develop a multiyear security road map, it is easy to become attached to it due to loss aversion. While delivering on a road map is critical from a security perspective, it's also essential to be open to shifts in the outline or original goals. University of Maryland researchers found hackers make cyberattack attempts every 39 seconds: clear evidence that security approaches and programs must adapt due to the frequency of attacks. Availability Heuristics Availability heuristic theory states that people often rely on quickly recalled information instead of data when evaluating a particular situation or outcome. Recognizing Behavioral Economics in Cybersecurity It's evident there is no way to avoid behavioral economics in cybersecurity; regardless of how much data people have, innate humanity still impacts them. Not only are security professionals affected by other departments' behavioral economics, they are also at risk of falling victim. Simply being aware that people are not robots that always make logical and calculated decisions can help limit behavioral economics' negative impact. Having visibility into how emotions impact work can enable cybersecurity professionals to more effectively drive security forward. Understanding availability heuristics, sunk cost fallacies, and mental accounting can help better frame security decisions as positive impacts to the bottom line. The more we understand behavioral economics, the more effectively we can present security-related investments and decisions as wins for profitability.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000