Professor of Cybersecurity Governance at Leiden University

Cybersecurity is unquantifiable. Are we having the right conversation?

Businesses currently thrive on quantitative thinking. Managers like numbers and it is easy and efficient to base strategic decisions on data and quantifications. Many cybersecurity approaches today align with this perspective. We calculate risks and use this to prioritize interventions. However, research shows that there are drawbacks to quantification for cybersecurity. We oftentimes lack solid data and making solid numerical predictions is therefore challenging.

But what alternatives are there? How can we make decisions about the security of organizations without relying on numbers? One possible alternative is value-driven decision-making. The central idea of this approach is that boards in organizations must decide which key values drive their organization, including but not limited to security. Values may sometimes lead to tensions.

For instance, an organization that places great emphasis on security may become less open and more partitioned as a result. Resolving these tensions is not always easy, or even possible. But perhaps cyber-mature organizations need to accept the financial and organizational implications of the values they deem most important, even when incidents arise. Perhaps their strategy should be ‘value and explain’ instead of ‘quantify and explain’?

Bibi van den Berg will address the above issues in a stimulating talk and give a contemporary perspective on compliance and governance.