Why don’t executives want to invest in digital protection solutions?

2018 11 protection numerique

The first difficulty faced by corporate executives is calculating a strategy's return on investment.

The rapid diversification of digital threats is a major challenge, both for companies and for Insurers. My aim here is, without providing a full description of the phenomenon, to explain the reasons behind a lack of preparation to take on digital threats.

In 2015, DELL offered an interesting perspective that provided a way to assess the ROI of a digital prevention strategy. The conclusion was clear: implementing advanced IT security measures costs money, but that investment is more than justified given the potential impact of an IT attack ($5 for a firewall, compared to $860,273 for a loss following a breach). So why isn’t everyone on board?

The response lies both in the fact that we are emotional beings and in what behavioural economists call cognitive bias, our brain’s predisposition to use cognitive short-cuts to distil multiple complex pieces of information in order to make decisions more easily in an uncertain environment which may be made up of Low Frequency - High Consequences risks. Daniel Kahneman and Amos Tversky’s work on behavioural economics are excellent references in the field.
 
One example is the availability heuristic, which can be used to explain executives’ investment and disinvestment decisions on security solutions. Recent exposure to malware changes your perception of the risk: once the danger is past, you will let down your guard and also decrease your investments.

Another bias worth exploring is loss aversion, which means valuing immediate losses over potential gains. In other words, an insurance premium is often seen as a short-term expense rather than a long-term gain. Insurers are seen in some areas as partners, and in others as “tax collectors.”

Finally, in spite of the statistics, believing that you are safe from polymorphic new generation malware because you don’t own any data is an example of a serious overconfidence or optimism bias which will affect your cybersecurity investment choices.

In conclusion, it’s important to remember that error is almost always human!