The Presidential Executive Order on Strengthening the Cyber Security of Federal Networks and Critical Infrastructure was issued last week as a reaction to the threats from Russian attackers and increased cyber attacks, like the global WunnaCry ransomware attack that recently hit. The release explicitly states that the “President will hold heads of executive departments and agencies accountable for managing cybersecurity risk to their enterprise” (5). A strong statement, and one that I am sure could leaves some executives a bit uneasy.
As defined by NIST, a Risk Executive is:
An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing information system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success. (4, Appendix B)
These executives are held to a high degree of responsibility for the safety of their enterprises. To better understand the drivers around risk management, I look to discern the psychological processes involved when analyzing risk and how risk is assessed within an organization. As internal threats can lead to some of the most damaging information security breaches, understanding how various members of the organization analyze and respond to uncertainty can help human resources and executives set the tone for a risk-reduction culture.
Organizations employ risk management to ensure that they have properly assessed the risks that threaten their organization and that business goals are aligned with this assessment. As defined by NIST, Risk Management is:
The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system. (4, Appendix B)
Systematic analysis of threats allows organizations to create pre-formulated contingency plans and allocate resources in order to ensure that the recognized threats do not cause damage to the company. In this process, priority is placed on the risks with the greatest loss potential and greatest probability of happening. Risks with a lower probability of occurance and lower loss potential are handled subsequently. While this seams simple enough, in practice the process of “balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled,” (6) further adding to the stress security executives already face within an organization.
Risk is defined by NIST as “a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence” (4, Appendix B). It is an uncertainty that all humans and organizations face and because it causes an uncomfortable feeling due to unknown outcomes, the natural human propensity is to either shy away from, or transfer the risk away from the individual or organization.
Several factors contribute to an individual’s assessment of risk, including personality and biases that can be behavioral, attitudinal, and situational. The security executive, with the weight of the entire security program on his/her shoulders, uses his/her experiences and expertise in order to best guide the organization. This individual’s personality displays his/her unique way of thinking, feeling, and behaving and provides the lens through which he or she will evaluate risk. As a part of personality, schemas help the individual makes sense of the world as they are “a mental concept that informs a person about what to expect from a variety of experiences and situations and are developed based on information provided by life experiences and are then stored in memory” (2). These schemas create mental short cuts to better understand the current situation based on similar situations that happened in the past.
Heuristic bias are also used when analyzing risk and are based off of the prejudices that we have developed over time that are self-learned and reinforced. These biases can distort the realities of certain risks “based on an individual’s past experiences and become mental hurdles to approaching risk objectively and proactively” (1). Representativnesss is an example of this and is a human assumption of the probability of a relationship between two seemingly separate events. In line with representativness is salience, wherein an individual is experiencing something for the first time, and they use the experience of observing other adverse events to make sense of the current situation. A good example of this being a house fire. If one witnesses a house burning down, they are more likely to to draw on the event when making their own choices than if they had read about the fire in the newspaper, biasing the amount of weight s/he will give to a particular event occurring or the amount of damage that can be caused.
At the enterprise, it is important to look at the environment to understand a company’s tolerance for risk and the factors that can effect the culture of risk.
Figure 3. Reciprocal Model of Safety Culture applied to each element. Adapted from “Towards a Model of Safety Culture,” by M. D. Cooper Ph.D., 2000, Safety Science: Vol 36, pp 111-136.
A combination of situational, attitudinal, and behavioral biasing factors (3) come into play in the perception of risk. Examples of “situational factors include the manner in which information is communicated, the task environment, the organization’s structure and strategic goals and the prevailing organizational culture (3, p. 2).” Organizational factors such as staffing levels and the employer response to breaches of standard operating procedures play an important role in influencing these situational factors as well. By setting a tone that encourages compliance through clear communication of safety practices and organizational goals, executives create a uniform culture wherein the responsibility is shared.
Examples of attitudinal biases include “people’s disposition or personality; the amount of control people feel they can exert on events; the ease with which they can recall or imagine past risky situations and events; and their motivations.” (3, p. 2) By encouraging a shared attitude towards risk within an organization, employees will feel they have more control over their involvement with risk management and make it a priority in their daily work routines.
Lastly, examples of behavioral biases include “an individuals’ on-the-job experience and his/her reinforcement history; how alert s/he is to risk present in the environment; and whether or not s/he receives feedback.” (3, p. 2) In a behavioral psychology model, we can best understand this through rewards and punishments. As more organizations go through security training for their employees, a reward system should be encouraged to motivate employees to act in accordance with policies.
Group characteristics are a major source of influence when an individual analyzes risk. One’s reference group, which includes managers and fellow employees, effect an individual’s perceptions of workplace risks as group membership demands conformity to its values, beliefs, and behaviors (3). Deviations from group norms risk the individual to social disapproval and can ultimately lead to rejection.
The three stage process in which people relate to group norms is compliance, identification, and internalization (3, p. 5). In the first stage, compliance, an individual complies with group norms in order to avoid being seen as a social outcast. In identification, the individuals will identify with the rest of the group and act in a similar fashion in both thoughts and behaviors. Over time, these thoughts and behaviors are internalized, and become a natural way of thinking and behaving in the group context.
Taking these findings into context when looking at the workplace, it makes sense that new hires be placed in a workgroup where risk reduction is the norm, thus encouraging newcomers to adapt best safety practices and reducing the threat of risk to the organization. On the other hand, if new hires are placed into a group that is high in risk-taking, they too will comply with, identify with, and internalize these risk-taking thoughts and behaviors. As risk perception and risk-taking behavior are heavily influenced by the group’s quality of leadership, with team leaders and managers helping to create and maintain group norms, they should strive to set the best example for their employees (3, p. 5).
Because it is not possible to control people’s personalities, research suggests that “risk-taking behavior can best be reduced by manipulating the situation to ensure the presence of appropriate control measures” (3, p. 5). Taking factors such as how risks are communicated through the organization, along with the structure and goals of the company, executives can create a culture that is more risk conscious and lessen the chance of insider threat.
Analyzing how risk is processed by an individual is an important strategy as the security space enters into a time of increased regulations and oversight. People do not view risks in the same way, and “their perceptions are affected by their personalities, their appraisal of the situation and their workgroup safety norms” (3, p. 8). A risk management framework, such as NIST’s Risk Management Framework, enables organizations to take a standardized approach to risk management to help manage the complexities of risk. As managers and executives become more aware of their behaviors and motivations, they will be able to perform better risk analysis and remove the feelings of lack of control over the situation. Self-awareness is the first step towards improving in any process.
- Barnabei, Mark D., “Risk Management Psychology and Practice” (2008). Master of Science in Organizational Dynamics Theses. 24. http://repository.upenn.edu/od_theses_msod/24
- Clause, C. (n.d.). Schemas in Psychology: Definition, Types & Examples. Retrieved May 15, 2017, from http://study.com/academy/lesson/schemas-in-psychology-definition-types-examples.html.
- Cooper, Dominic. (2003). Psychology, risk and safety. Professional Safety, 48(11), pp. 39-46 http://behavioural-safety.com/articles/psychology_risk_and_safety.pdf
- National Institute of Standards and Technology (2010). Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Gaithersburg, MD: U.S. Department of Commerce.
- Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. (2017, May 11). Retrieved May 15, 2017, from https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
- Risk management. (n.d.). Retrieved May 15, 2017, from http://psychology.wikia.com/wiki/Risk_management#References