jaywon/README.md

## README.md

      
    Raw
  

              README.md
            
          
Behavioral Science Overview by Alex Blau from Idea 42
http://www.ideas42.org/about-us/people/#407
Idea 42 is a non-prof for analyzing behavioral science in decision making(look into further)
Underinvesting or mis-investing in cybersecurity by executives...why?
People assume that people act logically, in reality make odd decisions
Decisions aren't about the person but the context of when that decision was made
CEO and CISO don't always speak the same language, different interests and concerns
CISO should be able to articulate risks in the business case and not the technical case

Make an CYBER problem an ORGANIZATION problem
Cybersecurity experts probably think in very complex mental models
Need to simplify that model when presenting information to non-technical people aka. CEO
CISO think about managing risk, CEO think about mitigating risk


Define metrics for success!!!

Process metrics vs outcome metrics
"How good is our process" vs. "Have we been breached?"
Vulnerabilities found and fixed internally vs. How many have been found and exploited externally


Overconfidence in current investments can skew decision making
Compliance checkbox lists can provide overconfidence

Feedback system that relates only if a breach happened is a bad feedback system

Lack of breach doesn't mean your secure possibly but that you haven't been exposed yet or targeted
SOLUTION: Constantly be trying to break system, constant benchmarking of what a system should look like


Focus can be on the wrong things

Availablity bias means attention is only on recent events that your mind has been exposed to
Example: Focus on big headline breach and ignoring employee training and education, internal pen-testing, internal bug bounty programs


Survey your peers about what they're doing
Break the system!!!


Resources:

http://www.ideas42.org/wp-content/uploads/2016/08/Deep-Thought-A-Cybersecurity-Story.pdf