Behavioral economics dating
Even the known costs, such as penalties for data breaches in highly regulated industries like health care, are a small piece of the ROI calculation.
In the absence of good data, decision makers must use something less than perfect to weigh the options: their judgment.
Having the mental model about what a cybersecurity program is supposed to do can be the difference between a thwarted attack and a significant breach.
Human judgment is often biased in predictably problematic ways.
In the case of cybersecurity, some decision-makers use the wrong mental models to help them determine how much investment is necessary.
To leverage this security professionals should explain cyber risk by using clear narratives that connect to risk areas that high-level decision makers are familiar with and already care deeply about.
For example, your company’s risk areas may include customer data loss as well as the regulatory costs and PR fallout that can affect the company’s reputation.