6 Significance of BEC
The marketplace and cyberspace alike are vulnerable to extreme occurrences that defy all past expectations. Nassim Taleb calls this type of an event a Black Swan and defines it by its three characteristics: “first, it is an outlier, as it lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility. Second, it carries an extreme impact. Third, in spite of its outlier status, human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable” (Taleb, 2010, p.xxii). In an earlier paper (Fineberg, 2012), I described the impact of Black Swans on the Continuity Of Operations Planning (COOP), but Black-Swan risks extend to all corners of cyberspace, and the susceptibility to concocting post factum explanations without accounting for the extreme nature of these events represents a persistent cognitive bias.
Philosophically, Taleb attributes Black Swans to Platonicity defined by him as the human propensity for categorizing data and substituting complex reality with its models. Platonicity misleads people to “mistake the map for the territory, to focus on pure and well-defined ‘forms,’ whether objects, like triangles, or social notions” (p.xxix). While “these intellectual maps of reality are not always wrong,” the greatest danger is in the Platonic Fold, “the explosive boundary where the Platonic mindset enters in contact with messy reality, where the gap between what you know and what you think you know becomes dangerously wide. It is here that the Black Swan is produced” (p.xxx).
From this perspective, Behavioral Economics bridge the Platonic Fold between the pure, well-defined models of standard economics and the messy reality of the human psyche. Likewise, Behavioral Economics of Cybersecurity (BEC) bridge the Platonic Fold between the theoretical principles of cyberspace and the messy reality of the cyberhuman, its most susceptible link. Figure 4 illustrates the Platonic Fold concept and the roles of BE and BEC in bridging it.
Figure 4. Platonic Fold of the marketplace and cyberspace
The significance of BEC is in reducing the potential for Black Swans of cyberspace.
7 Conclusion
Behavioral Economics experiments have firmly established that people exhibit common biases in their judgment and decision making and persistently violate assumptions of the rational actor model. Yet, cyber strategies, policies and risk management guidance are still geared towards rational cyberactors. This paper proposes to incorporate BE findings into the realm of cybersecurity by creating a new framework called BEC.
The paper demonstrates how the BEC framework can be integrated into the current NIST’s Risk Management Framework and how it can be structured as a matrix of cyber actors (Users, Defenders, Attackers) and security services (Confidentiality, Integrity, Availability). Examples of the BEC applicability are provided. The awareness and mitigation developed within BEC would smooth Taleb’s Platonic Fold between the theory and practice of a human in cyberspace and mitigate the risk of future Black Swans.
8 Acknowledgment
The author greatly appreciates the comments provided by Yeva F. Byzek, David R. Harris, Alicia M. Martin, and John A. Wasko.
10 References
Amoroso, E. (2010). Cyber attacks: Protecting national infrastructure. Burlington, MA: Butterworth-Heinemann.
Ariely, D. (2012). The (honest) truth about dishonesty: How we lie to everyone—especially ourselves. New York, NY: HarperCollins Publishers.
Bodie, Z. & Taqqu, R. (2011). Risk less and prosper: Your guide to safer investing. Indianapolis, IN: John Wiley & Sons.
Fineberg, V. (2012). COOP hardening against Black Swans. The Business Continuity and Resiliency Journal. 3Q.http://www.businesscontinuityjournal.com/.
IATF Rel 3. (2000). Information Assurance Technical Framework. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA393328.
(ISC)2®. (2010). Official (ISC)2® guide to the CI SSP® CBK. Second Edition. H. F. Tipton, Editor. Boca Raton, FL : Auerbach Publications.
Nichols, R.K., Ryan, D. J., & Ryan, J. C. H. (2000). Defending your digital assets against hackers, crackers, spies & thieves. New York, NY: McGraw-Hill.
NIST SP 800-30 Rev. 1. (2012). Guide for conducting risk assessments. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf.
NIST SP 800-39. (2011). Managing information security risk. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.
Taleb, N. N. (2010). The Black Swan: The Impact of the Highly Improbable. New York, NY: Random House.
Tversky, A. & Kahneman, D. (1974). Judgment under uncertainty: Heuristics and biases. Science, New Series, 185(4157), pp. 1124-1131.
Zachman, J. A. (1997). Concepts of the framework for enterprise architecture: Background, description and utility. Zachman International. Retrieved from http://www.ies.aust.com/PDF-papers/zachman3.pdf.