Effective Decision-Making Creates Sustainable Cybersecurity Solutions!

To design sustainable cybersecurity solutions, it’s better to organize your decision-making steps.

Just what does sustainable cybersecurity design look like? Rajat Mohanty, CEO of Paladion, High Speed Cyber Defense, answers that successful design thinking begins with empathy for the end-user, focuses on the solution more than the problem, and must include iteration. He emphasizes the human factor, noting that about 90% of security breaches are due to human error or negligence, and adds that understanding users’ situations and environments is essential for designers to develop solutions that maximize compliance. (How Design Thinking Can Change Cybersecurity, Forbes, May 22, 2018).

After this initial phase, you must help your stakeholders to design solution options and decide which one to implement.But to make decisions, where do you start? It’s better to employ several best practices, such as the PrOACT steps (Smart Choices, Hammond, Keeney, Raiffa, 2002). Laying out options and evaluating their pros and cons drives design decisions that achieve both short-term and long-term cybersecurity goals.

Cybersecurity tends to focus on technically-driven, short-term solutions for sudden, acute problems like data breaches. While fixing the immediate vulnerability is priority, it may not provide future defense. To achieve sustainable cybersecurity, it’s better to organize your decision-making steps as follows:

  1. Problem — Look beyond the symptoms of the problem and identify its root cause.
  2. Objectives — What are they exactly, both the near-term and the far-term? Identify every stakeholder, and in close collaboration with them, identify their goals and concerns. Determine your objectives based on these exchanges. To encourage your stakeholders to participate, come to agreement with them on the objectives and the desired outcomes.
  3. Alternatives — Setting aside judgement, constraints, and objections, list the solution options you and your stakeholders arrive at together that will eliminate nothing short of the problem’s root cause.
  4. Consequences — Now rank your comprehensive list of choices in a table against the set objectives and assign a value to each. What are the pros and cons of each? Which factors matter most in the decision-making process?

Because uncertainty looms large in cybersecurity, risk management is essential. Again, use a table to weigh threats against benefits, chances of loss against chances of win. What are the uncertainties? What are the possible outcomes? How likely are they to occur?

To assess risk levels, weigh the likelihood of occurrence and impact for each alternative. Balance negative risks against positive ones. Which should be addressed first? Those producing adverse effects that will have the greatest impact and are more likely to occur (From Problem Solving to Solution Design, Campos and Campos, 2018), such as Problem 2 in this table:

TABLE 1 — Problem Solution Prioritization (Risk = Likelihood x Impact)

Making every cybersecurity solution effective requires constant iteration because situations are ever-changing and technology updates constantly.

So, given so many variables in a high stakes game, Embedded-Knowledge employs several best practices as well as its unique I.D.E.A.S. Framework to create and sustain results-driven cybersecurity solutions.

Contact us for a consultation: embedded-knowledge.com.



J. Eduardo Campos, EMPA CISSP CPP Hogan Certified

Author | Speaker | Cybersecurity Advisor | Solution Designer Designing human-centered solutions for complex problems. Recovering CISO and CSO. People first.