The research team for this study also included Deason Institute Principal Investigator Tyler Moore and Scott Dynes, a visiting scholar at the Institute. Moore’s research focuses on the economics of information security, the study of electronic crime and the development of policy for strengthening security. Dynes’ research addresses how firms identify and manage cyber risks at the firm and sector levels, and he is well published on topics related to incentives for firms to invest in information security, as well as the economic consequences of information security failures.
Interviews with the 40 executives cited in the survey were conducted in person or by phone with one or two researchers and lasted from 30 minutes to an hour. The interviews were semi-structured in that researchers worked from a list of common questions in every interview, but allowed the answers to those questions to serve as a launching point for follow-ups. Of the participants, 33 represented U.S. organizations and the remaining seven were international. Interview questions included:
- What methods and inputs do you use to prioritize cyber investment?
- Do you feel you have adequate information in managing overall cyber risk?
- Is your management supportive? Do you have sufficient budget?
- What factors are driving cybersecurity investment at your firm?
- How do you decide among offerings in the marketplace?
A key study finding was the central role that frameworks now play in defining how executives perceive risk, and how much money they are willing to spend to mitigate that risk. “Using these frameworks provides a platform for CISOs to make an understandable, compelling case for specific cybersecurity products and operations,” Moore said. Or as one interviewed executive put it, “Security has to be able to have a basis to argue its point of view in a compelling story with some thought behind it, rather than ‘I want to get these things because it’s the next cool security thing that’s out there.'”
Worth noting, Moore added, is that the lack of qualified, available cybersecurity professionals creates its own set of problems. “In some cases, CISOs say their senior management wants to fund cybersecurity measures more quickly than they can staff them,” Moore said. “In other cases, senior management is hesitant to fully fund proposed cybersecurity projects because they fear the CISO doesn’t have the personnel available to implement them.”
The interviews were conducted between February and October 2015 and participants were assured anonymity for themselves and their firms. The authors note that the advantage of the semi-structured interview methodology is that it enables the researcher to glean detailed contextual information that would not be possible under a more structured interview scenario. The disadvantage, they note, is that the contextual findings do not generalize to the profession as a whole.
The findings described in the report, Identifying How Firms Manage Cybersecurity Investment, are not to be construed as an endorsement of any person, product or company by the Darwin Deason Institute for Cyber Security at SMU. Note that the respondent opinions presented in the report do not necessarily reflect the opinions of the study authors or the study sponsor, IBM. The study’s objective is to relay as accurately as possible the statements of the interview subjects.