Decision Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment

Despite the rise in the frequency and intensity of cyber-attacks, many organizations are still negligent in their management of cybersecurity practices. To address this shortcoming, we developed a simulation game to understand and improve how managers make investment decisions in building cybersecurity capabilities. The simulation game focuses on how managers’ decisions may impact the profits of their business, considering the costs of cybersecurity capability development, the unpredictability of cyber-attacks, and potential delays in building capabilities. In an experiment with 67 individuals, we recorded and analyzed 1,479 simulation runs. We compared the performances of a group of experienced cybersecurity professionals with diverse industry backgrounds to an inexperienced control group. Both groups exhibited similar systematic errors in decision-making, indicative of erroneous heuristics when dealing with uncertainty. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects, and in fact, performed worse in a less uncertain environment, suggesting more developed heuristics. Our findings highlight the importance of training and education for decision-makers and professionals in cybersecurity, and lay the groundwork for future research in uncovering mental biases about the complexities of cybersecurity capability development.