The risk of cyber attack regularly increases in frequency and danger. Every day, it seems, there is another news article about the next attack, which is creating a great deal of concern in organizations large and small. Yet cyber security as a whole continues to be underfunded by many organizations. Why?
One reason is that it can be difficult to predict the likelihood of a cyber attack succeeding, as well as the the extent of potential losses. As Alex Blau (2017) discusses in his article in the Harvard Business Review, decision makers must use their judgment to estimate how much to invest in cyber security, but some decision makers may rely on the wrong models when considering where and how much to invest. Here are three of the reasons he shares that explain why decision makers within organizations often don’t take cyber security seriously enough:
- They envision cyber security as a kind of fortification process in which strong firewalls and astute watchmen will allow them to see threats from afar.
- They assume that complying with a security framework like NIST or FISMA is sufficient security.
- They haven’t had a security breach recently, so what doesn’t seem broken doesn’t need to be fixed.
According to Blau, “The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is.” He suggests that cybersecurity efforts should focus on risk management instead of risk mitigation. Every organization needs an ongoing plan in place to protect against the likelihood of cyber attack, which can cost millions, and even put you out of business.
How prepared is your organization to defend against cyber attack? If you’re interested in bolstering your cyber security skillset to better protect your organization from potential threats, check out IEEE’s latest course program, Cyber Security Tools for Today’s Environment.
Blau, A. (2017, June 7). The behavioral economics of why executives underinvest in cybersecurity. Harvard Business Review.