-
- Behavioral Science Overview by Alex Blau from Idea 42
- http://www.ideas42.org/about-us/people/#407
- Idea 42 is a non-prof for analyzing behavioral science in decision making(look into further)
- Underinvesting or mis-investing in cybersecurity by executives...why?
- People assume that people act logically, in reality make odd decisions
- Decisions aren't about the person but the context of when that decision was made
- CEO and CISO don't always speak the same language, different interests and concerns
- CISO should be able to articulate risks in the business case and not the technical case
- Make an CYBER problem an ORGANIZATION problem
- Cybersecurity experts probably think in very complex mental models
- Need to simplify that model when presenting information to non-technical people aka. CEO
- CISO think about managing risk, CEO think about mitigating risk
- Define metrics for success!!!
- Process metrics vs outcome metrics
- "How good is our process" vs. "Have we been breached?"
- Vulnerabilities found and fixed internally vs. How many have been found and exploited externally
- Overconfidence in current investments can skew decision making
- Compliance checkbox lists can provide overconfidence
- Feedback system that relates only if a breach happened is a bad feedback system
- Lack of breach doesn't mean your secure possibly but that you haven't been exposed yet or targeted
- SOLUTION: Constantly be trying to break system, constant benchmarking of what a system should look like
- Feedback system that relates only if a breach happened is a bad feedback system
- Focus can be on the wrong things
- Availablity bias means attention is only on recent events that your mind has been exposed to
- Example: Focus on big headline breach and ignoring employee training and education, internal pen-testing, internal bug bounty programs
- Survey your peers about what they're doing
- Break the system!!!
-
Resources:
Last active
October 10, 2017 17:37
-
-
Save jaywon/420b4a988cff9966455d16aed99fc96e to your computer and use it in GitHub Desktop.
Notes from HackerOne "Why Executives Underinvest in Cybersecurity" Webinar
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment