Solving the current risk versus the uncertain future risk? An example from cybersecurity

Dr. Robin L. Dillon-Merrill, Principal Analyst

My research for the last decade has focused on decisions that individual’s make under uncertainty. Recently with a colleague, Cathy Tinsley, at Georgetown University, we have been exploring decisions and risks associated with cybersecurity issues.

We had 528 participants complete an on-line exercise. The participants were recruited from mTurk and were paid fifty cents for their time. The participants read one of two conditions. In both conditions, the participant is the decision maker for a small business who faces both a supplier problem and a computer security problem. In the first condition, the problem with the supplier is occurring now, but in the second condition, the problem with the supplier is uncertain and a problem could occur in the future. In both conditions, the problem with the computer security is uncertain and could occur in the future. Participants read only one scenario and did not see the alternative version.

The text of the first scenario read:

You own a small business that sells custom-made table protectors for dining room tables. You are not getting rich selling table protectors, but enjoy the freedoms and challenges of running a small business.

As the new year starts, you face two challenges. You only have the resources to resolve one this year and one will have to wait until next year. The resources required to solve either problem are roughly equivalent.

  1. A few months ago Microsoft stopped issuing security updates for the XP operating system, which your computers use to receive online orders and store customer data. Although you also use Blast antivirus software, Microsoft’s security updates were important to defend against malware and viruses that target Microsoft XP vulnerabilities. Microsoft of course recommends upgrading to Windows 8, which is Microsoft supported, but for you that means also purchasing all new computers.
  2. Over the course of the past 12 months, you received more quality complaints than in prior years. These complaints forced you to sell some of your inventory at a discount. Thus you are considering a different materials supplier. But switching will create an upfront cost for you because most suppliers need a guaranteed purchase amount and require prepayment for initial purchases. If you do not switch suppliers, you may have more quality problems in the future since your current supplier has been getting increasingly unreliable.

You must now decide which investment to make for your business. You know the business can’t afford both investments.

Which investment do you make?

The text of the second scenario was exactly the same except for the description of the problem with the supplier. In the second scenario, the problem with the supplier is described as:

Your chief supplier is located in a country recently identified as a "high risk" on a US government ranking of how corrupt a country's public sectors are. While you have not had any problems with your supplier to date, you are concerned about the stability of the supplier given the country's corruption score. Thus you are considering a different materials supplier in a country with a low corruption score. But switching will create an upfront cost for you because most suppliers need a guaranteed purchase amount and require prepayment for initial purchases.

Assuming that you only read one of the above scenarios, how likely is it that you would choose the computer upgrade versus changing the supplier?

What we found was that in the first condition, participants overwhelmingly chose to fix the immediate problem with the supplier, 84.6% chose to invest in a new supplier and 15.4% chose to upgrade the computers. When both problems are future uncertain problems, 51.7% chose to invest in a new supplier and 48.3% chose to upgrade the computers (χ2 (1) = 65.5, p<.001).

We also asked our participants to describe their knowledge of 12 cybersecurity related items on a scale where 0 is not at all knowledgeable and 10 is very knowledgeable. The 12 items were: Phishing, Malware, Spyware, Botnet, Computer virus, SQL injection, Denial of Service (DOS), Encryption, Virtual Private Network (VPN), Ant-virus software, Intrusion detection system, and Firewall. We averaged the scores on the 12 items to assess each participant’s knowledge of cyber security topics (Cronbach’s α=.95). The following statistics describe the knowledge of cyber security topics of our participants: Mean = 6.3, s.d. = 2.4, Median = 6.5, Minimum = .33, Maximum = 10. Splitting the participants into high versus low cyber security knowledge based on each’s self-assessment did not further explain the decisions by condition. In both the high and low knowledge conditions, roughly 85% chose to invest in the new supplier in the first condition and roughly 52% in the second condition chose to invest in the new supplier.

This problem of choosing to address the immediate risk or concern rather than in investing in future uncertain problems is prevalent in many industries. The same problem exists for hospitals choosing to invest in robotic surgery equipment or new generators. Patients don’t pick hospitals based on who has the best emergency preparedness.

Thus, sorting out the right balance between investments that address current shortcomings versus uncertain future risks requires careful risk analysis, planning, and decision making.