TY - JOUR
T1 - Making Sense of the Unknown
T2 - How Managers Make Cyber Security Decisions
AU - Shreeve, Benjamin
AU - Gralha, Catarina
AU - Rashid, Awais
AU - Araújo, João
AU - Goulão, Miguel
N1 - Publisher Copyright:
© 2023 Copyright held by the owner/author(s).
PY - 2023/5/27
Y1 - 2023/5/27
N2 - Managers rarely have deep knowledge of cyber security and yet are expected to make decisions with cyber security implications for software-based systems. We investigate the decision-making conversations of seven teams of senior managers from the same organisation as they complete the Decisions & Disruptions cyber security exercise. We use grounded theory to situate our analysis of their decision-making and help us explore how these complex socio-cognitive interactions occur. We have developed a goal-model (using iStar 2.0) of the teams' dialogue that illustrates what cyber security goals teams identify and how they operationalise their decisions to reach these goals. We complement this with our model of cyber security reasoning that describes how these teams make their decisions, showing how each team members' experience, intuition, and understanding affects the team's overall shared reasoning and decision-making. Our findings show how managers with little cyber security expertise are able to use logic and traditional risk management thinking to make cyber security decisions. Despite their lack of cyber security-specific training, they demonstrate reasoning that closely resembles the decision-making approaches espoused in cyber security-specific standards (e.g., NIST/ISO). Our work demonstrates how organisations and practitioners can enrich goal modelling to capture not only what security goals an organisation has (and how they can operationalise them) but also how and why these goals have been identified. Ultimately, non-cyber security experts can develop their cyber security model based on their current context (and update it when new requirements appear or new incidents happen), whilst capturing their reasoning at every stage.
AB - Managers rarely have deep knowledge of cyber security and yet are expected to make decisions with cyber security implications for software-based systems. We investigate the decision-making conversations of seven teams of senior managers from the same organisation as they complete the Decisions & Disruptions cyber security exercise. We use grounded theory to situate our analysis of their decision-making and help us explore how these complex socio-cognitive interactions occur. We have developed a goal-model (using iStar 2.0) of the teams' dialogue that illustrates what cyber security goals teams identify and how they operationalise their decisions to reach these goals. We complement this with our model of cyber security reasoning that describes how these teams make their decisions, showing how each team members' experience, intuition, and understanding affects the team's overall shared reasoning and decision-making. Our findings show how managers with little cyber security expertise are able to use logic and traditional risk management thinking to make cyber security decisions. Despite their lack of cyber security-specific training, they demonstrate reasoning that closely resembles the decision-making approaches espoused in cyber security-specific standards (e.g., NIST/ISO). Our work demonstrates how organisations and practitioners can enrich goal modelling to capture not only what security goals an organisation has (and how they can operationalise them) but also how and why these goals have been identified. Ultimately, non-cyber security experts can develop their cyber security model based on their current context (and update it when new requirements appear or new incidents happen), whilst capturing their reasoning at every stage.
KW - Cyber security decision-making
KW - cyber security risk analysis
KW - goal modelling
UR - http://www.scopus.com/inward/record.url?scp=85164216769&partnerID=8YFLogxK
U2 - 10.1145/3548682
DO - 10.1145/3548682
M3 - Article
AN - SCOPUS:85164216769
SN - 1049-331X
VL - 32
JO - ACM Transactions on Software Engineering and Methodology
JF - ACM Transactions on Software Engineering and Methodology
IS - 4
M1 - 83
ER -