top of page

Behavioral Economics and Risk Management in Cybersecurity.

In 1979, Daniel Kahneman and Amos Tversky won the Noble Prize for their work studying how people make decisions that involve risk and uncertainty.

What they discovered was that when people were presented with a potentially large gain, they were more likely to avoid taking large risks. However, when people were presented with a potentially large loss, they were more inclined to take the risk. In other words, people tend to be more risk-seeking for gains versus losses - even if the final outcome is the same.

Here's what they did.

In a human behavior experiment, Kahneman and Amos had subjects in a room divided into two groups.

Group A.  They asked the first group of subjects to choose between two alternatives.

A. 100% chance of gaining $500

B. 80% chance of gaining $1000, but also 20% chance of receiving nothing.

Option A’s expected outcome is $500 while option B is $800…but 80% of subjects choose option A because it represents a guaranteed gain. The best decision in this scenario would be option B.

Group B.   They asked the second group of subjects to choose between two alternatives;

C. 100% chance of losing $500

D. 80% chance of losing $1000, but 20% chance of losing nothing.

Option C’s expected outcome is losing $500 while option D is losing $800. The best decision in this scenario is to choose option C, the guaranteed loss of $500.

The results are interesting.

When faced with a gain, about 85% of participants chose the guaranteed smaller gain.

When faced with a loss, about 70% chose the risky larger loss. The best answer for Group B was to select option C, but most people decided to gamble and chose option D instead. All else being equal, people are more inclined to take a risk when the outcome is a loss versus a gain.

Here's what that looks like plotted on a graph.

So what does this have to do with information security?

Classical economics makes the assumption that business leaders are making perfectly rational decisions. Behavioral economics flips that and shows that we live in a world full of uncertainty where people don't always make rational decisions. Prospect Theory heavily influenced the development of FAIR (Factor Analysis of Information Risk) as part of risk management strategy.

To contextualize the findings of Kahneman and Amos, we have to first understand that many business leaders view cybersecurity as a cost center to the organization. It's a flawed perspective that still rings true even with some larger organizations with more mature security postures.

To a business leader, investing in cybersecurity is a choice between a small guaranteed loss — the cost of buying information security products and services — and a large risky loss: for example, experiencing a high impact security incident such as ransomware or a data breach.

What the Prospect Theory tells us is that business leaders are more likely to accept greater cybersecurity risks when the exposure to dangerous threats and significant losses exist. 

So what should you do?

At the highest level, it's important to change the company culture so that cybersecurity is viewed as cost avoidance. By shaping opinion at the top about the risk exposure, threats and likelihood of impact, a security champion will get the support they need from the business team to further protect the organization from a high impact security incident.


Thank you for reading this article and feel free to contact American Cyber if you need assistance building or advancing your security program.


Commenting has been turned off.
bottom of page