Decision-Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment
This research addresses training needs for cybersecurity decision-makers by identifying biases, but it is incremental as it builds on existing work in systems thinking and simulation-based learning.
The study investigated how decision-makers handle delays and uncertainties in cybersecurity capability development using a simulation game with 1,479 runs, finding that experienced professionals were no better at understanding delays than inexperienced ones but improved at proactive decision-making through iteration, while both groups made similar errors with uncertainty.
We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1,479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity.