Select Page

Rational choices in cybersecurity: Navigating the metrics of human cyber risk

CYBSAFE-SebDB Webinar-preblog-221011MS-36

3 January 2023

When is it a good idea to commit a crime?

Some say never. Some say properly adhered to laws are what allow societies to live harmoniously and prosperously. But consider something as simple as speeding.

Most would likely admit that, a majority of the time, speeding is a bad idea. Certainly, if we all decided to speed all of the time, driving would become a great deal more risky.

So most of the time, we adhere to speed limits. Until the expected costs and/or the expected benefits of speeding change.

Deserted roads on a clear day while you’re running late for an important meeting?

Speeding might suddenly become worthwhile.

Driving an injured passenger losing blood at an alarming rate to A&E?

Suddenly it makes more sense to speed.

The Nobel Prize-winning economist Gary Becker was first to introduce the idea of crime being rational, under the broader economic theory of rational choice. When it came to making decisions, Becker thought, people made choices based on the expected costs and expected benefits of each available course of action.

Could rational choice theory explain why cyber aware people sometimes behave in an insecure manner?

In the ever-evolving landscape of cybersecurity, understanding the balance between rational choice and human behavior is crucial. As we delve into this complex realm, we’ll also explore the significance of metrics. Metrics shed light on the effectiveness of defenses against cyber attacks and serve as a benchmark for security professionals.

Join us on this journey as we uncover the metrics that can help you manage human-cyber risk effectively.

The best metrics are meaningful

Many things in life can be measured. Our height, the distance we ran, how short our last relationship was…

It’s no different when it comes to cybersecurity. Human-cyber risk can be measured. But where do you begin? Pull up a chair and grab a snack, let’s explore the wonderful world of metrics! 

Metrics shine a light on effective defences are against cyber attacks. They serve as a benchmark for security professionals, and are a useful tool to manage human-cyber risk.

“Why do we need to manage human-cyber risk?”, you may ask? The stats speak for themselves…

CybSafe’s research with the National Cybersecurity Alliance revealed nearly a third (31%) of respondents either “sometimes,” “rarely,” or “never” install software updates. It goes to show there is room for improvement.

Harnessing irrationality

Gary Becker, who first applied rational choice to everyday behaviors, was a giant in his field. Shortly after winning his 1992 Nobel Prize, Becker was awarded a United States Presidential Medal of Freedom. In 2014, the New York Times columnist Justin Wolfers declared Becker ‘the most important social scientist in the past 50 years’.

But how far do Becker’s theories really extend?

In more recent years, a new wave of economists have pointed out a host of blatant irrationalities people typically harbour. Doubling the price of jewellery, for example, often increases its demand.

This new wave of researchers – known as behavioral economists – argue people often operate with imperfect information and need to make choices quickly. To help us do so, we live by a set of default rules which help us most of the time but, on occasion, allow irrationalities to creep in.

One default rule might be to equate higher prices with higher quality. And, when living by the rule, more expensive jewellery suddenly becomes more desirable.

Rational choice might condemn us to a world of successful cyber attacks. Fortunately, though, people are not always rational.

So the question becomes: how can we harness human irrationality to keep people safe online – even when behaving securely might be perceived as entirely irrational?

Presumably, the trick lies in making secure behaviors a default rule. As behavioral economists have shown, once default rules are established, rationality has little say over how we act.

To make behaving in a secure manner a default rule, it may be worth our industry sidelining talk of cyber security in the workplace and focusing on the personal benefits of secure behavior. The benefits of risky behavior might outweigh the costs while at work. At home it’s a different story – and any default rules formed at home will almost always follow people around.

That’s largely because those who behave in a secure manner by default do not weigh up the costs and benefits of doing so. They live by the rule: cyber secure behaviors are always the way to go.

Just as one default rule sees us “irrationally” desire more expensive things, another can ensure we behave securely both in and out of the workplace.

Even when it makes absolutely no sense to do so.

No wonder measuring human behavior is such a complex task. To be successful cybersecurity professionals must measure not only the technical aspects but also the human element.

Now that we’ve explored the concept of rational choice and its implications in cybersecurity, let’s shift our focus to the world of metrics and how they can help us manage human-cyber risk.


throwing cybersecurity out of the window

Bending the rules

Sometimes, it can be easy to fail in measuring human-cyber risk because the tools used are shallow. Improving knowledge on cyber security is useful but it is not enough . If anything, as discussed above, employees that only complete tick-box exercises can do more harm than good.

It’s not that standard security training for your staff isn’t essential. It is. But wouldn’t it be way better to be fully equipped to fight off cyber attacks?

Cormac Herley argues that, while cyber secure practices prevent attacks, they burden people with extra effort. When the expected costs of the extra effort outweigh the expected benefits, Herley argues, people rationally choose to behave in an insecure manner. Herley offers warnings over outdated security certificates as an example.

‘It’s hard to blame users for not being interested in SSL and certificates,’ Herley writes, ‘when (as far as we can determine) 100% of all certificate errors seen by users are false positives.’

Herley’s conclusion is alarming.

For a long time, the cyber security industry has been focused on showing people how to behave in a secure manner. But if we rationally refuse to behave in a secure manner even when we know how to keep ourselves safe, we hit a brick wall.

Thanks to rational choice, in certain situations we might never behave in a cyber secure manner – making the organisations we work for vulnerable no matter what.

Don’t just take our word for it, other businesses have realised too. The European Systemic Risk Board (ESRB) recently released a survey. It showed ineffective testing of people, processes and technology was a vulnerability of high priority.

How can things change? It’s all in knowing your ABCs or awareness , behavior and culture . If people can improve their ABCs when it comes to cyber security, a change can be made for the better.

But what metrics can be used to track human-cyber risk when the choices people make can be both rational and irrational? And how can you measure success? 

Metrics in practice

Metrics play a pivotal role in human cyber risk management. Let’s delve into how metrics, particularly in the realms of awareness, behavior, and culture, contribute to strengthening cybersecurity.

Let’s start with awareness. How can it improve? Recognising a threat and knowing how to mitigate it is a great start.

Insightful activities such as workshops and quizzes are amazing awareness tools. They are fun and interactive. They are an effective way of teaching people how to identify risks.

These activities are useful for another important reason. Interactive measures are a good way of gauging how long it takes before someone forgets the things they have learned.

Workshops and activities are most effective when done regularly. This helps to build the knowledge retention of people.

Information provided in these activities can help people to know where to get help if they ever face a cyber attack.

So, security awareness knowledge is foundational. But, behavioral and cultural metrics are important too.

Behavior often happens within a context. It’s easy to assume, rather than measure behavior. It happens often and it is a habit to break.

Take password hygiene. Assuming people have bad password habits and raising awareness around this will not always guarantee behavior change.

A little nudge can help: Information on how often a password has been leaked and stronger password alternatives are key.

People are more likely to be aware of risks if they can understand how close they are to danger. More importantly, people will be willing to change their habits for the better.

A supportive culture

Fostering a culture of trust and security isn’t just a nice-to-have; it’s a cornerstone of effective cybersecurity.

As mentioned before, measuring culture works. It can provide insight into how people feel about security, leadership and trust at your organisation.

Having a culture that is safe and trusting plays a key role when it comes to cyber security. It helps people feel more confident to speak up about cyber risks.

Awareness, behavior and culture lay the groundwork for a well-rounded view of human-cyber risk management. It isn’t as simple as singing ABC! You may find it takes time to implement these metrics. But it will be time well spent.

Metrics that measure the effectiveness of ABC take it to the next level. That’s where the magic happens!

A time to reflect

Looking at the delivery of campaigns is a good way of knowing where to go next. This can range from how you decided to deliver ABC campaigns, to planning how the outcome of your campaign will be measured. CybSafe’s whitepaper , Meaningful Metrics for Human Cyber Risk, is filled with more nuggets of wisdom to make metrics work for you.

In our journey through the complex intersection of rational choice, metrics, and human-cyber risk, we’ve uncovered essential insights that can shape a safer digital world. As we reflect on the importance of metrics in understanding and managing human-cyber risk, let’s distill the key takeaways:

  • Rational choice in cybersecurity: Rational choice theory plays a pivotal role in our decision-making processes in the ever-evolving field of cybersecurity. It reminds us that our choices are influenced by expected costs and benefits.
  • Meaningful metrics: Metrics serve as our guiding light, illuminating the effectiveness of defenses against cyber threats. They provide a benchmark for security professionals and offer a valuable tool for managing human-cyber risk.
  • Culture matters: Fostering a supportive culture within organizations is not only essential but a cornerstone of effective cybersecurity. It empowers individuals to speak up about cyber risks and reinforces secure behaviors.
  • Awareness, behavior, and culture: These three pillars form the foundation of human-cyber risk management. Together, they create a holistic view that allows us to navigate the complex world of cybersecurity.

Making that first step

In the intricate tapestry of cybersecurity, rational choices and meaningful metrics help us navigate the path to a more secure digital landscape. As we conclude, remember that the balance between rational decision-making and human behavior is an ongoing challenge.

We invite you to engage in this dialogue. What are your thoughts on the role of rational choice and metrics in cybersecurity? How can we better manage human-cyber risk in this dynamic era? Feel free to share your insights and questions, as together, we continue our pursuit of a safer online world.

CybSafe is here to support you with every step of your cyber journey. You should feel secure each time you go online.

Easy-to-understand reports on human-cyber risk are provided for your organisation. As well as tailored recommendations so your actions can have the best impact on your company.

CybSafe offers a trio of solutions – GUIDE, PHISH, and RESPOND – meticulously crafted to assist you in shaping targeted security behaviors, lowering your human cyber risk, and ensuring compliance in the process.

Every product is supported by the industry’s most extensive in-house team of psychologists, behavioral scientists, analysts, and security experts. Moreover, they are underpinned by the SebDB, the most extensive database of security behaviors globally.

CybSafe’s software will help you to understand the impact of human-cyber risk, as well as supporting people to make the best security decisions possible.

Any questions? Please ask .

Behave Hub newsletter CybSafe

Do one more thing right today. Subscribe to the Behave newsletter

You may also like