Decision-Makers’ Understanding of Cyber-Security’s Systemic and Dynamic Complexity: Insights from a Board Game for Bank Managers

Abstract: Cyber-security incidents show how difficult it is to make optimal strategic decisions in such a complex environment. Given that it is hard for researchers to observe organisations’ decision-making processes driving cyber-security strategy, we developed a board game that mimics this real-life environment and shows the challenges of decision-making. We observed cyber-security experts participating in the game. The results showed that decision-makers who performed poorly tended to employ heuristics, leading to fa… Show more

“…They are static and thus do not account for the dynamic nature of cyber risk (Falco et al, 2019;Homeland Security 2018). The dynamic nature of cyber risk can be recognized in, for instance, evolving adversary tactics and skills, shifting organizational priorities, emerging security events, changing budgets, and new technology (Zeijlemaker, 2022). The complex dynamic nature of cyber risks cannot be covered by traditional risk management approaches (Lambert et al, 2013;Linkov et al, 2014).…”

“…The purpose of this is to explore how simulation techniques can augment the static approaches for cyber risk management decisionmaking. System Dynamics has rarely been used in the field of cyber risk (Jalili, 2019;Zeijlemaker, 2022).…”

“…Figure 1. Dynamic risk management in terms of performance behavior over time (Zeijlemaker, 2022) Figure 1 (Zeijlemaker, 2022) shows the past and future behavior of a performance indicator that is expected to go outside the risk appetite boundary under the current policies. Timely risk management policy interventions (risk mitigation) bring the performance within these boundaries (acceptable risk appetite).…”

“…(1) the adversary achieves his goals and continues to do this (Huang et al, 2019) and (2) conjugation effect (Baldwin et al, 2016), and (3) word-of-mouth effect mobilize more adversaries to attack (Zeijlemaker 2022). Prevented attacks contribute to adversaries' innovation (long-term effect) or attacking other targets (short-term effect) (Zeijlemaker 2022). For the defender, there is an opposite effect.…”

“…Ultimately, the adversary may reach the asset base of the defender. In terms of cyber risk, assets go through four different stages (Jalili et al, 2019;Sepulveda Estay, 2021;Zeijlemaker, 2022): (1) susceptible assets that are compromised by the adversary become an unknown compromised asset, (2) after detection, unknown compromised assets become known compromised assets, (3) responsive actions by the defender mitigate the effects of the attack and become resolved assets, and (4) resolved assets are packed in production as susceptible assets. In this sequence, isolation is important for limiting adversary activities (Torres, 2014) because unknown compromised assets can compromise more susceptible assets due to lateral movement or automated epidemic malware properties (e.g., worms).…”

Capturing the Dynamic Nature of Cyber Risk: Evidence from an Explorative Case Study

“…They are static and thus do not account for the dynamic nature of cyber risk (Falco et al, 2019;Homeland Security 2018). The dynamic nature of cyber risk can be recognized in, for instance, evolving adversary tactics and skills, shifting organizational priorities, emerging security events, changing budgets, and new technology (Zeijlemaker, 2022). The complex dynamic nature of cyber risks cannot be covered by traditional risk management approaches (Lambert et al, 2013;Linkov et al, 2014).…”

“…The purpose of this is to explore how simulation techniques can augment the static approaches for cyber risk management decisionmaking. System Dynamics has rarely been used in the field of cyber risk (Jalili, 2019;Zeijlemaker, 2022).…”

“…Figure 1. Dynamic risk management in terms of performance behavior over time (Zeijlemaker, 2022) Figure 1 (Zeijlemaker, 2022) shows the past and future behavior of a performance indicator that is expected to go outside the risk appetite boundary under the current policies. Timely risk management policy interventions (risk mitigation) bring the performance within these boundaries (acceptable risk appetite).…”

“…(1) the adversary achieves his goals and continues to do this (Huang et al, 2019) and (2) conjugation effect (Baldwin et al, 2016), and (3) word-of-mouth effect mobilize more adversaries to attack (Zeijlemaker 2022). Prevented attacks contribute to adversaries' innovation (long-term effect) or attacking other targets (short-term effect) (Zeijlemaker 2022). For the defender, there is an opposite effect.…”

“…Ultimately, the adversary may reach the asset base of the defender. In terms of cyber risk, assets go through four different stages (Jalili et al, 2019;Sepulveda Estay, 2021;Zeijlemaker, 2022): (1) susceptible assets that are compromised by the adversary become an unknown compromised asset, (2) after detection, unknown compromised assets become known compromised assets, (3) responsive actions by the defender mitigate the effects of the attack and become resolved assets, and (4) resolved assets are packed in production as susceptible assets. In this sequence, isolation is important for limiting adversary activities (Torres, 2014) because unknown compromised assets can compromise more susceptible assets due to lateral movement or automated epidemic malware properties (e.g., worms).…”

Capturing the Dynamic Nature of Cyber Risk: Evidence from an Explorative Case Study

Facilitating learning at multiple levels with Systems Thinking‐assisted serious games: Insights from the SUSTAIN project

Playing the new devil’s advocate role in facilitated modelling processes to address group homogeneity