Making Sense of the Unknown: How Managers Make Cyber Security Decisions

Managers rarely have deep knowledge of cyber security and yet are expected to make decisions with cyber security implications for software-based systems. We investigate the decision-making conversations of seven teams of senior managers from the same organisation as they complete the Decisions & Disruptions cyber security exercise. We use grounded theory to situate our analysis of their decision-making and help us explore how these complex socio-cognitive interactions occur. We have developed a goal-model (using iStar 2.0) of the teams' dialogue that illustrates what cyber security goals teams identify and how they operationalise their decisions to reach these goals. We complement this with our model of cyber security reasoning that describes how these teams make their decisions, showing how each team members' experience, intuition, and understanding affects the team's overall shared reasoning and decision-making. Our findings show how managers with little cyber security expertise are able to use logic and traditional risk management thinking to make cyber security decisions. Despite their lack of cyber security-specific training, they demonstrate reasoning that closely resembles the decision-making approaches espoused in cyber security-specific standards (e.g., NIST/ISO). Our work demonstrates how organisations and practitioners can enrich goal modelling to capture not only what security goals an organisation has (and how they can operationalise them) but also how and why these goals have been identified. Ultimately, non-cyber security experts can develop their cyber security model based on their current context (and update it when new requirements appear or new incidents happen), whilst capturing their reasoning at every stage.