Unravelling the dynamic complexity of cyber-security

Several recent security incidents show that decision-making on cyber-security can have consequences reaching far into the future. In a world of further digitalization, interconnectedness, and increasing activities of cyber-criminals, the question is how the decision-making needs to adapt to ensure security.

More than 15 years of research has been conducted in the field of security economics on security investment decision-making. Although the field of security economics already recognizes static limitations (data quality and invalid inferences), we posit security investment decision-making is also impacted by dynamic limitations (understanding of feedback, time delay, accumulation effects in this domain of decision-making). These limitations may cause decision makers to use heuristics (simple mental rules) for making decisions in complex, dynamic, and uncertain situations. The use of heuristics can inadvertently and unconsciously lead to incorrect decisions. Therefore, our research focusses on obtaining more knowledge and insights on these dynamic limitations. The main research question of this thesis is: “Which systemic structures drive cyber-security investment decision-making, and how can security investment decision-making potentially be improved?”