Content uploaded by Edward Marchewka
Author content
All content in this area was uploaded by Edward Marchewka on Mar 10, 2022
Content may be subject to copyright.
Reducing Cybersecurity Risk Information Asymmetry Phenomenon: A Prescriptive Approach to
Improving Cybersecurity Risk Perception
by
Edward John Marchewka, Jr.
A Dissertation Submitted to
School of Business and Management
at California Southern University
in Partial Fulfillment of the Requirements for the
Doctor of Business Administration
California Southern University
2022
Date of Defense: 07 March 2022
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
iii
Copyright Declaration
Copyrighting a document offers its originator a set of literary, artistic, and/or expressive rights,
including exclusive distribution privileges.
However, receipt of a submitted and approved dissertation shall result in the inclusion and
publication of the document by the University Library at California Southern University. As
such, each student grants the University a limited, non-exclusive, royalty-free license to
reproduce the student's work, in whole or in part, in the electronic form to be posted in the
University Library database and made available to the general public at no charge. The license
does not imply ownership of the copyright by the university; instead, this practice occurs to
support accreditation efforts, research communities, enhance intellectual inquiries, and
disseminate insights and findings.
The School of Business and Management at California Southern University requires dissertations
to be copyrighted via ProQuest’s registration service. ProQuest provides an efficient dissertation
archiving system registering the document with the Library and Congress. Further, ProQuest
allows the originator to retain the copyright as described at https://about.proquest.com/products-
services/dissertations/submitting-dissertation-proquest.html.
Copyright
I consent to the following:
the inclusion and publication of the document by the University Library at California
Southern University, as stated;
submitting and archiving the dissertation using ProQuest; as stated above; and
acknowledge and understand my rights as a copyright holder under 17 U.S.C. §106
published at https://www.copyright.gov/title17/92chap1.html.
07 March 2022
Full Legal Name Here
Date
© 2022
Edward John Marchewka, Jr.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
iv
Approval Page
This applied dissertation was constructed and submitted by Edward John Marchewka, Jr. under
the direction of the committee listed below. It was submitted to the School of Business and
Management at California Southern University and approved in partial fulfillment of the
requirements for the degree of Doctor of Business Administration at California Southern
University.
John Hannon, DBA
Date
Committee Chair/Dissertation Mentor
Michael Morris, DBA
Date
Committee Member
Nichelle Manuel, DBA
Date
Committee Member
Steven Hess, PhD
Date
Reviewing Dean
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
3/7/2022
3/7/2022
3/8/2022
3/10/2022
v
Dedication
I dedicate this project to my family that kept me motivated throughout the process. To my
wife, Becky Marchewka, who provided the air cover through the many, many nights of
homework, research, and writing. All while minding our three beautiful children, Natalie,
Connor, and Kyle, while I worked on this project while managing our household and remote
learning for each of the children. I would be remiss if I did not acknowledge the time taken away
from playing on the floor with the children and other attention missed throughout this process,
and I am grateful for the lap sitting and those little hugs and smiles of understanding along the
way. I am looking forward to celebrating the finalization of this program with my amazing and
supportive family.
I would further like to dedicate this to my late grandmother, Sharon Gibbons, who
instilled the importance of education. She established the basis for my educational appetite as the
first person to earn any college degree in our family. She pushed each of her children and
grandchildren never to stop learning, and for that, I am grateful. I know she would be proud and
supportive of this endeavor.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
vi
Acknowledgments
Dr. Hannon, thank you for your guidance and taking my calls whenever I called you. I
appreciated your candor and direct approach to the dissertation process. I appreciated the
sometimes lengthy discussions we had working through various aspects of the paper. Your
experience as a chair is shown throughout the process. It has been a privilege working with you
for these past several months.
I would like to thank my committee members, Dr. Morris, Dr. Hess, and Dr. Manuel, for
their feedback throughout this process. Dr. Morris, I appreciated your detailed feedback on APA
and for keeping me honest throughout the process. Dr. Hess, your detailed direction on statistics
was not lost on me and appreciated. Dr. Manuel, I appreciate your willingness to participate as a
peer, colleague, and friend. I look forward to continuing to work with you on other projects.
I would be remiss if I did not thank my survey participants who took time out of their
busy days to complete it. I further want to thank everyone who liked, shared, and commented on
my persistent LinkedIn virtually begging for survey participants.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
vii
Abstract
Cybersecurity remains a global problem, with several trillion dollars per year in stolen money
and time. The decisions to protect organizations from cybersecurity risks lie with senior
executives and board members. The continued increase in cybercrime indicates that senior
business leaders are not addressing the cybersecurity risks. Struggles with understanding the
risks due to information asymmetry combined with an affective response may be a reason for the
lack of action on cybersecurity risks. Research indicated that speaking in business terms is
required to better communicate to business leaders; however, a prescriptive approach is not
present in the literature. Several general recommendations exist, but nothing is immediately
actionable. The quantitative research effort attempted to provide a prescriptive approach to
communicating cybersecurity risk by measuring risk perception of group one, senior executives
and board members (n = 93), and group two, senior cybersecurity leaders (n = 108) when using
tactical metrics presentation format and aggregated metrics presentation format. The results
showed strong positive correlation between tactical and aggregated metrics presentation formats
for both group one (ρ = 0.866, p < .001) and group two (r = 0.869, p < .001). However, there was
no change in risk perception using either format in both group one (z = -0.205, p = .837) and
group two (t(107) = -0.102, p = .919). The results indicate that the presentation format elicits the
same amount of risk perception and that using either format may be appropriate when delivering
the cybersecurity message.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
viii
Table of Contents
Chapter 1: Introduction ................................................................................................................... 1
Background of the Problem ......................................................................................................... 2
Problem Statement ...................................................................................................................... 4
Purpose Statement ....................................................................................................................... 5
Nature of the Study ..................................................................................................................... 5
Research Questions ..................................................................................................................... 6
Hypotheses .................................................................................................................................. 7
Conceptual Framework ............................................................................................................... 7
Operational Definitions ............................................................................................................... 8
Assumptions, Limitations, and Delimitations ............................................................................. 9
Contribution to Practice or Stakeholder Groups ....................................................................... 11
Summary ................................................................................................................................... 12
Chapter 2: Literature Review ........................................................................................................ 13
Information Asymmetry ............................................................................................................ 14
Affect Heuristic ......................................................................................................................... 25
Risk Scoring .............................................................................................................................. 38
Conclusion and Summary of Findings ...................................................................................... 43
Chapter 3: Methodology ............................................................................................................... 45
Research Design ........................................................................................................................ 45
Research Questions ................................................................................................................... 46
Operational Definitions of Variables ........................................................................................ 47
Hypotheses ................................................................................................................................ 48
Population and Sample .............................................................................................................. 48
Role of the Researcher .............................................................................................................. 49
Geographical or Virtual Location.............................................................................................. 49
Procedure ................................................................................................................................... 50
Instrumentation .......................................................................................................................... 50
Data Collection .......................................................................................................................... 52
Data Analysis ............................................................................................................................ 53
Informed Consent Process and Ethical Concerns ..................................................................... 55
Trustworthiness of the Study ..................................................................................................... 57
Summary ................................................................................................................................... 57
Chapter 4: Results ......................................................................................................................... 58
General Description of Participants .......................................................................................... 58
Unit of Analysis and Measurement ........................................................................................... 59
Sample Size ............................................................................................................................... 60
Pilot Testing .............................................................................................................................. 60
Data Collection .......................................................................................................................... 61
Results of Hypothesis Tests ...................................................................................................... 61
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
ix
Chapter 5: Concluding the Study .................................................................................................. 65
Summary of the Study ............................................................................................................... 65
Ethical Dimensions ................................................................................................................... 66
Overview of the Population and Sampling Method .................................................................. 66
Limitations ................................................................................................................................ 67
Results ....................................................................................................................................... 68
Reflection .................................................................................................................................. 70
Recommendations ..................................................................................................................... 72
Suggestions for Future Research ............................................................................................... 74
Concluding the Study ................................................................................................................ 74
References ..................................................................................................................................... 76
Appendix A: Tables ...................................................................................................................... 94
Appendix B: Figures ..................................................................................................................... 96
Appendix C: Instrument ................................................................................................................ 99
Appendix D: Consent Form ........................................................................................................ 115
Appendix E: Site Permissions ..................................................................................................... 117
Appendix F: IRB Approvals ....................................................................................................... 118
List of Tables
Respondents by Functional Role .................................................................................................. 94
Respondents by Gender ................................................................................................................ 94
Respondents by Sector .................................................................................................................. 95
Respondents by Metropolitan Area .............................................................................................. 95
List of Figures
G*Power output for sample size calculation – non-parametric .................................................... 96
G*Power output for sample size calculation – parametric ........................................................... 97
Output for Industry Represented ................................................................................................... 98
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
1
Chapter 1: Introduction
Cybersecurity breaches are not a question of “if?” but “when?” (Karanja & Rosso, 2017).
Cybersecurity risks are emerging and continue to maintain an ascending path to the most
important kind of business risks with many organizations lacking proper strategies and models
for managing cybersecurity risks (Carfora et al., 2019; De Smidt & Botzen, 2018). The
recommendation from several researchers is for cybersecurity leaders to discuss cybersecurity
risks in terms the business understands (Al-Moshaigeh et al., 2019; Anders, 2019; Gallagher et
al., 2019; Islam et al., 2018; Rothrock et al., 2018, Weill et al., 2019). However, all
recommendations have failed to define what “terms the business understands” is through
examples or other prescriptive and actionable means.
De Smidt and Botzen (2018) state that creating a means for colleague and inter-
organizational discussions may increase risk awareness and influence the importance of
cybersecurity risk. Additionally, De Smidt and Botzen (2018) call out that research should be
done on communication techniques to improve awareness and perception of cybersecurity risks.
The study intended to evaluate a prescriptive approach to communicate cybersecurity risks in
terms the business understands to improve communications and, ultimately, resource allocation
towards those risks.
By providing an actionable approach, more organizations may be able to manage
cybersecurity risks better. Organizations can improve the perceived risk posture and improve
stock valuation through risk management, investment, and resource allocation (Deane et al.,
2019). Deane et al. (2019) focused on firms that attained and announced ISO 27001 certification;
however, ISO 27001 certification is not a prescriptive approach. ISO 27001 certification verifies
a process and does not verify a specific technique or effectiveness of a model for communicating
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
2
risk (Fitzgerald, 2018). The study intended to be specific with the language and evaluate the
change in risk perception when communicating cybersecurity risk.
Background of the Problem
Data breaches, cyber incidents, and ransomware events continue to plague companies and
individuals while making the nightly news. Such previously mentioned cybersecurity events are
recognized as a top business challenge (Deane et al., 2019). Bassett et al. (2020) reviewed
157,525 incidents, of which 3,950 resulted in a breach. While the incident and breach numbers
may seem high, these incidents and breaches are just the tip of the iceberg, as many incidents or
breaches remain quietly unreported. Wertheim (2019) discusses the reason for many of the
incidents and breaches as the amount of information available to be stolen and sold is worth
$1.65 quintillion. Criminals are aware of the value of the data and are pursuing data at a rate of
$3.1 trillion in 2018 (Wertheim, 2019). With data being valuable and the challenges with
prosecution, there is no reason for criminals not to go after the data (De Paoli et al., 2020;
Horsman, 2017).
Financial gain is a significant driver for criminals; however, the intentions of criminals
can also include information gathering and physical destruction (Slayton, 2018). A rising attack
vector is ransomware; some organizations pay the ransom others simply close shop (Pagura,
2020). Financial theft, through ransomware or other fraud, is not the only impact on
organizations. Other impacts include reputation losses and costs related to remediation of losses
to victims (Krishna Viraja & Purandare, 2021). Additionally, regulators impose hefty fines due
to violations of the Health Insurance Portability and Accountability Act (HIPAA) that continue
to run through the healthcare community. Regardless of organizational size or industrial vertical,
the attackers are relentless in pursuing financial gain or other malfeasance (Slayton, 2018). The
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
3
Office of Civil Rights has found that no risk analysis was completed during a post event audit or
an after action report. If an organization completed a risk analysis, it was frequently completed
improperly (Pagura, 2020; United States Department of Health and Human Services, Office for
Civil Rights [US Dept. HHS, OCR] v. CHSPSC LLC, 2020; US Dept. HHS, OCR v. Premera
Blue Cross, 2020; US Dept. HHS, OCR v. The City of New Haven, 2020). Furthermore,
organizations that completed a risk analysis found that the actions taken to reduce the risk were
inadequate.
Caremark provides the guidance and precedence that the Board of Directors (board)
should be aware of organizational risks (In re Caremark Int'l Inc. Derivative Litigation, 1996).
Edwards (2019) explained that the courts have been hesitant to decide against organizations for
cybersecurity failures even with the Caremark standard. However, the settlement between Yahoo
and the Securities and Exchange Commission demonstrates that senior leaders should understand
environmental cybersecurity risks (Edwards, 2019). The Home Depot breach of 2014 and,
similarly, Stone v. Ritter (2006) establish that taking some action, even if not sufficient, limits
personal liability to the board (Edwards, 2019). A challenge that plaintiffs and defendants must
work through is determining the level of reasonableness for actions taken for cybersecurity, and
the determination happens through discussions with the board and executives (Edwards, 2019).
The discussions with the board and executives are when and where decisions are made
regarding cybersecurity risks (Sartawi, 2020). However, when the risks are not adequately
understood, decisions may not be made in the best light (Ganin et al., 2017). A source of the lack
of understanding is information asymmetry between cybersecurity professionals and boards and
executives (Sartawi, 2020; Sen, 2018; Shetty et al., 2018). The affect heuristic then exacerbates
the lack of understanding as decisions regarding unknown or poorly understood risks are often
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
4
emotional decisions (Van Schaik, 2020). With a goal of reducing the impacts to organizations
and customers, there is a clear need to convey cybersecurity risks that reduce emotional response
and drive better decision making (Zhang & Borden, 2019). A first step will be to present the
information in a manner that resonates with the board and executives, thus, reducing information
asymmetry.
Problem Statement
A problem exists in boardrooms and executive offices across industries and geographies
concerning actions to reduce cybersecurity risk. Despite several scholarly sources that have
stressed that better communication with the board is needed (Al-Moshaigeh et al., 2019; Anders,
2019; Gallagher et al., 2019; Islam et al., 2018; Rothrock et al., 2018, Weill et al., 2019); the
articles fall short of prescriptive direction on executing and delivering compelling
communications, and the problem continues. Such poor communication and lack of
understanding perpetuate continued ineffective dialogue between cybersecurity professionals and
executives and the board, resulting in poor decision making and data breaches with an average
cost of $3.86 million (Ponemon Institute, 2020). Compliance is not necessarily the answer, as
the 2013 Target breach illustrated where Target sustained a breach despite maintaining
compliance with the cybersecurity requirements of the Payment Card Industry (Plachkinova &
Maurer, 2018). The confusion of security with compliance results in incidents and breaches
negatively affecting organizations and customers served because of potential damage to property,
disruption of business operations, loss of sensitive data, negative impact on quality, and harm to
human life ((Basset et al., 2020; De Smidt & Botzen, 2018). Also, boards need to understand the
organizational risk based on the Caremark (1996) ruling.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
5
Beyond organizational risk is the risk of personal liability for boards and executives.
Boards and executives need to take proper action against those risks, as demonstrated in Stone v.
Ritter (2006). A possible cause of the problem is failure to present cybersecurity risks in an
understandable format resulting in poor decision making regarding cybersecurity risks. The
research investigated the impact of using aggregated risk metrics to communicate cybersecurity
risk and the subsequent environmental risk perception using a quantitative research method to
provide potential solutions (Rothrock et al., 2018). Through proper measurements and
quantification of risks, the board can evaluate the impact on the business (Rothrock et al., 2018).
Purpose Statement
The purpose of the quantitative study was to analyze the impact of aggregated
cybersecurity metrics on cybersecurity risk perception of board members and executive
leadership, and the senior most cybersecurity leaders from multiple organizations. The senior
most cybersecurity professionals may have job titles ranging from Manager to Chief Information
Security Officer (CISO) with a given responsibility for cybersecurity in their organization. The
targeted population was located primarily in the Greater Chicagoland area. However, some
respondents may be from other metropolitan areas due to the online nature. The research effort
aimed to define a new approach to presenting cybersecurity risks to encourage better decision
making (Walpole & Wilson, 2021). Data was obtained via online surveys utilizing
SurveyMonkey. After which, the data will be housed within the California Southern University
Office 365 environment in comma separated values tables.
Nature of the Study
The study utilized a survey based design to evaluate cybersecurity risk perception change
using a prescriptive aggregated scoring approach to communicating cybersecurity risks. The
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
6
researcher gathered data via surveys collected online with a survey built within SurveyMonkey.
Two vignettes were presented to the research participants to frame the context for the research
questions (Bhatia & Breaux, 2018; Budimir et al., 2021; Maguire et al., 2015; Parkin et al., 2021;
Walpole & Wilson, 2021). The researcher recognizes that the use of aggregated metrics is
potentially novel and will most likely require training. Using two vignettes is due to the novelty
of the format for presenting risks and the need for a different perspective or training. A design
element that was acknowledged is that the participants will know that the vignettes or scenarios
are not real; therefore, the vignettes or scenarios must be realistic enough to allow the
participants to feel as though the information were close to real life (Parkin et al., 2021).
Participants answered a series of questions, used with permission, see Appendix E, using
the “Final Items for the Subscales” (p. 11) as presented by Walpole and Wilson (2021) to
evaluate perceived cyber risks. One vignette used traditional metrics that tend to be technical. An
example of a technical metric is the percentage of systems scanned for vulnerabilities. The
second vignette presented a similar risk scenario but utilized the risks using the prescriptive
aggregated metrics approach proposed by Marchewka (2018; as cited in Fitzgerald, 2018).
Aggregated metrics are consolidated scores using various factors similar to a credit score
(Keskin et al., 2021). Evaluation of the perceived risks used the same question set by Walpole
and Wilson (2021).
Research Questions
The study addressed the following research questions:
Research Question 1: What is the relationship between cybersecurity risk perception and
cybersecurity risk metrics presentation format with board members and executive level
leadership?
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
7
Research Question 2: What is the relationship between cybersecurity risk perception and
cybersecurity risk metrics presentation format with cybersecurity practitioners (i.e., CISOs)?
Hypotheses
The study tested the following hypotheses:
H01: There is no difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with board members and executives.
Ha1: There is a difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with board members and executives.
H02: There is no difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with cybersecurity practitioners.
Ha2: There is a difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with cybersecurity practitioners.
Conceptual Framework
Tactical metrics presentations appear to be the normative approach. For example, the
Performance Measurement Guide for Information Security (Chew et al., 2008) is a recognized
source but contains only tactical metrics. Wilamowski et al. (2017) evaluated authentication,
authorization, and accounting as a last line of defense for cybersecurity and proposed its
effectiveness for metrics. However, these metrics are overly tactical as they did not meet the
requirements of speaking in terms the board could understand, as shown as needed by Aiello and
Schneidermeyer (2016), Karanja and Rosso (2017), and Lanz (2017). Similarly, the Center for
Internet Security (2015) provides a comprehensive list of metrics; however, the list does not
demonstrate its business impact. Understanding how executives and the board perceive risks
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
8
given tactical information will serve as a basis for the prescriptive approach to communication
cybersecurity.
The experiences and knowledge of the individual impact risk perception (Finucane et al.,
2000; Nyre & Jaatun, 2013; Van Schaik et al., 2020; Wilson et al., 2018), and Walpole and
Wilson (2021) theorized that risk perception is a crucial part of risk decision making. A change
in perception may reduce the potential losses to organizations and customers depending on the
actions taken. These actions may include effectively allocating resources that are imperative to
any long-term goals of an organization (Beck et al., 2019). The research effort aimed to
determine if the aggregated risk metrics produce a difference in risk perception, which may
indicate that aggregated risk metrics reduce information asymmetry when communicating
cybersecurity risk (Garcia Perez et al., 2018; Wu et al., 2019).
Operational Definitions
Breach. “An incident that results in the confirmed disclosure—not just potential
exposure—of data to an unauthorized party” (Bassett et al., 2020, p. 4).
CISO. Chief Information Security Officer or most senior executive, director, or manager
responsible for cybersecurity (Karanja & Rosso, 2017).
Cybersecurity. The generic term encompasses network security, application security,
information security, and operational security (Sarker et al., 2020).
Incident. “A security event that compromises the integrity, confidentiality or availability
of an information asset” (Bassett et al., 2020, p. 4).
Ransomware. “A version of malware, is the term given to viruses that can render a
computer inaccessible until a fee, or ‘ransom,’ has been paid” (Slayton, 2018, p. 289).
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
9
Assumptions, Limitations, and Delimitations
Assumptions
According to Vogt and Johnson (2016), an assumption is “a statement that is presumed to
be true, often only temporarily or for a specific purpose, such as building a theory” (p. 22). A
general assumption regarding surveys is that people will answer them honestly; however, Orehek
et al. (2020) shared that sometimes there can be reservations regarding answering cybersecurity
questions honestly. The researcher assumed that research subjects would answer honestly
regarding their risk perceptions but recognized that the sensitive nature of the topic might also be
a limitation. With a sizeable potential survey pool, to have a high level of confidence, 90%, and a
5% margin of error, 180 surveys were needed. The survey size was calculated using the
Wilcoxon-Mann-Whitney (WMW) test for two groups in G*Power. The WMW test was chosen
because it was unknown if the results would be normally distributed. A normal distribution test
was conducted using the Kolmogorov-Smirnov (KS) and Shapiro-Wilk (SW) tests to determine
the most appropriate test for data analysis. To cover all bases, a test of means on two groups, two
tailed t-test, was also calculated with a statistical power threshold of 90%, an effect size of 0.5,
and an α of 0.05 with G*Power, and the sample size was calculated at 172. Erring on the side of
caution, 180 participants is the minimum sample size chosen. The G*Power output of both
sample size calculations can be found in Appendix B. The researcher assumes that the required
number of valid respondents was possible within the timeframe of the study.
Limitations
Theofanidis and Fountouki (2018) state that the limitations of a study are “potential
weaknesses” (p. 156) that the researcher cannot control and should address. Limitations may be
related to the design of the research, the statistical models, funding issues, or other external
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
10
factors that may affect the conclusions. The lack of familiarity with aggregated risk metrics may
be a limitation, and it may be necessary to evaluate the cost, time, and energy of training to make
the shift from a tactical presentation to the use of aggregated metrics. Nemec (2018) asked if
there is a return on investment (ROI) from training and found justification for spending resources
on training. Devarakonda (2019) demonstrated that a trained team outperforms an untrained
team. The vignettes may provide an element of training; however, it would not be to the detail
expected from a complete onboarding of a new tool for explaining cybersecurity risk.
Furthermore, the quantitative study had the potential to only point to a difference in risk
perception between presentation methods.
Delimitations
Delimitations are limitations set by the researcher to limit the scope of a project
(Theofanidis & Fountouki, 2018). Unlike a limitation, delimitations are within the control of the
researcher, which can include background theory, research objectives and questions, hypothesis,
survey questions, and survey population (Theofanidis & Fountouki, 2018). The survey link was
shared through several communication methods, including, but not limited to, various
LISTSERVs and social media. The reach of these communication methods is global; however,
the initially targeted respondents were from the Greater Chicagoland area. Beyond the qualifying
and demographic questions, the survey questions only used those from Walpole and Wilson
(2021) to maintain the validity and reliability of the survey instrument. The scope of the study
was delimited to the perception of cybersecurity risk and did not include the qualitative or
quantitative risk calculation method. The delimitation was chosen to focus on evaluating the
communication tool and not the risk calculation.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
11
Contribution to Practice or Stakeholder Groups
By demonstrating risk perception improvement using aggregated metrics, boards,
executives, information technology (IT), and cybersecurity leaders should benefit from the study.
Aiello and Schneidermeyer (2016) identified that board members must approach cybersecurity as
a part of enterprise risk management. The CISO must have the skills to communicate in business
terms not to lose the attention of the board (Aiello & Schneidermeyer, 2016; Karanja & Rosso,
2017; Lanz, 2017). The fact that prior research studies found that the CISO must effectively
communicate is the basis for the research effort, which intends to demonstrate a practical means
to communicate cybersecurity risk effectively. Effectively communicating will benefit
organizations as board members and executives will be informed to address the risks effectively.
Customers of an organization will also benefit from the reduced likelihood of a breach if
executives take steps to address risks adequately.
The research aimed to add to the current literature by comparing two methods of
communicating risk and determining if either method enables CISOs to speak the language to
business and improve the perception of risk (Walpole & Wilson, 2021). A prescriptive approach
is what the literature lacks. Karanja and Rosso (2017) discuss that the CISO must speak the
language of business or fall short of demonstrating how they impact the organization. Karanja
and Rosso (2017) provide a high level view by stating that the CISOs who have earned a
graduate degree in Business Administration (i.e., MBA) and specific certifications may better
speak to the business. However, the statement is vague and does not help an individual without a
similar background. A CISO can leverage personal experiences and use the research findings to
improve risk perception by providing a specific example or communication technique.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
12
Summary
Chapter One introduced the problem of cybersecurity failings due to inefficiencies of
communications to the board and executives regarding cybersecurity risks. Inefficient and
inadequate communications result in diminished risk perceptions largely due to information
asymmetry between the CISO and the audience. Poor decisions are made because of the affect
heuristic and emotional decision making due to a lack of understanding. The purpose of the study
was to evaluate the impact of presenting information security risks in an aggregated form and the
impact on risk perception. If risk perceptions are changed based on the proposed approach,
functional changes in delivering cybersecurity risks could happen.
The remainder of the research project is organized in a series of chapters. Chapter 2 is a
literature review that reviewed pertinent topics within scholarly research surrounding
cybersecurity and risk management, along with decision making psychology. Through a
thorough evaluation of the scholarly literature, Chapter 2 identified research gaps as related to
the study topic. Chapter 3 presented the study research methodology, the participants, research
design, data collection methods, and study limitations. Chapter 4 analyzed the results and
presented them in light of the study research questions. Chapter 4 also identified any common
themes found within the data. Chapter 5 reviewed the study results and discussed the findings,
practical applications, and suggestions for further scholarly research.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
13
Chapter 2: Literature Review
Throughout many relationships and experiences, there is often a difference in the amount
of knowledge one party has over the other (Bergh et al., 2019). An information gap is a positive
phenomenon in some situations, for instance, when visiting a physician. In other situations, the
difference in knowledge can cause issues, for example, between a car buyer and a dealer. The
described information gap is called information asymmetry and can cause issues in the
boardroom when information is not presented in a form the board understands and when the
board does not request the information (Wachnik, 2014). The relationship is not all bad if a board
does not know everything for their position is to govern the organization and not run it (Brennan
et al., 2016). The job of running an organization is reserved for the executive team.
Information asymmetry can be overcome through communicating in terms the business
understands and avoiding technical jargon (Shayo & Lin, 2019). Conversely, the information
asymmetry gap can be exacerbated, leading to breakdowns in trust and perception of the value of
cybersecurity. Furthermore, the CISO reporting relationship can change due to the change in
perception, making matters worse (Karanja, 2017; Shayo & Lin, 2019). A strained relationship
due to poor understanding and perceptions can lead to poor decisions based on emotion instead
of cognitive processes.
Presenting information in a way that elicits positive feelings and comfort will reduce the
inherent threat posed by cybersecurity and allow the prefrontal cortex to process information.
Decision making based on emotion is an affect heuristic or an emotional shortcut (Finucane et
al., 2000). The affect heuristic is not a weakness but a natural response of humans in a fight or
flight scenario (Joseph et al., 2020). Incident and breach reporting was found to elicit an
emotional response, which can be used as an advantage; however, it must be used with caution
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
14
due to the negative correlation of fear to results in a cybersecurity context (Fordyce et al., 2018;
Nam, 2019; Renaud et al., 2021).
Evaluating risks in an environment is a challenge due to the immaturity of the
cybersecurity profession and the lack of data that is constantly changing (Amin, 2019).
Continuously collecting data is laborious, and approaches to provide a program as been
conducted; however, the methods of communication were not discussed (Shetty et al., 2018).
The challenge to overcome is not necessarily the tool by which the risks are measured but rather
the path in which risk communication occurs. When the risks are communicated so that the
recipient can process them, they can be disarmed and receptive to the information. A receptive
recipient allows for the reduction in the affect heuristic, which then permits decision making to
happen through a cognitive response and not an emotional response.
Information Asymmetry
Wachnik (2014) and Bergh et al. (2019) defined information asymmetry as a situation
where one party has more information or details about a transaction than the other party. More
simply and in the context of the research effort, information asymmetry is the disparity between
what management knows and what the board knows (NACD, 2019). Information asymmetry is
not uncommon across diverse settings, including banking, initial public offerings, and mergers
and acquisitions (Bergh et al., 2019). A challenge in the information security space is the issue of
a non-event. Often, cybersecurity is unobservable, nothing happened, or an element of
uncertainty which is an issue because it is the exact reason board members struggle with the
value of top executives, like a CISO (Bergh et al., 2019). Another challenge with information
asymmetry in the boardroom is that the board must remain abreast of current risks facing the
organization to make timely and sound decisions regarding risks in the environment; however,
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
15
the board must be told this information since they are not involved in the daily operations
(Brennan et al., 2016). The board needs to know about existing risks, risks that continue to exist,
and emerging threats as forecasted risks.
Cyber insures, like boards, face two main information asymmetry problems, adverse
selection and moral hazard (Shetty et al., 2018). Insurers are challenged with deciding a premium
to charge due to adverse selection. Similarly, boards face challenges determining organizational
risk priorities due to the same problem. Insurers face moral hazard because they cannot see into
the actions an organization takes after policy issuance, and the insured is not incentivized to
implement cybersecurity risk mitigations due to the policy being in place (Shetty et al., 2018). A
board faces similar challenges because they need to be told the actions a company has taken, and
board meetings are spread out over the year.
Boards and insurers can reduce the information asymmetry disadvantages by
implementing processes to better understand the risks in the environment (Shetty et al., 2018).
The adverse selection problem can be reduced by better understanding a risk profile of an
organization, including a thorough risk assessment with physical and technical analyses (Shetty
et al., 2018). The challenge with the moral hazard problem is the need for continuous monitoring
and regular reporting. When an organization continually monitors its cyber risks and reports
those to insurers and the board, both interested parties are informed of the state of affairs and
actions taken to reduce the risks (Shetty et al., 2018).
The conceptualization of information asymmetry is not new in management research;
however, it is spread out and has several different applications (Bergh et al., 2019). The
application of different information applies to cybersecurity, whereby different parties receive
information. The idea mentioned above may seem trivial, but the acknowledgment by both
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
16
parties is key to closing the information gap. Bergh et al. (2019) found that the different
information application of information asymmetry is found in many management areas,
including between top managers and subordinates, between managers and analysts, and, most
appropriately, in trust relationships. The board must trust their advisors and executives to
properly inform them as the board is not involved in day to day activities (Bergh et al., 2019).
The need for trust is seen with the hidden information and the application of information
asymmetry, which depends on perspective. With the ex ante perspective, information may not be
clear to provide the best resource position. Conversely, in the ex post perspective, information
may be exaggerated or even withheld depending on the consequences or incentives (Bergh et al.,
2019).
Information asymmetry can be leveraged as a mechanism or as an influence allowing one
party in the transaction to guide and steer thinking to pursue their interests. The board must ask
the right questions to ensure they understand the whole picture and the resources needed when
utilizing steering. When information asymmetry is viewed as a mechanism, all parties need to
heed their position in the transaction since one party can have significant power over the other
and may manipulate the less informed party (Bergh et al., 2019). Information asymmetry as a
mechanism may be viewed negatively, there exists another theoretical model that applies to the
research effort, and that is information asymmetry as an assumption (Bergh et al., 2019). When
viewing information asymmetry as an assumption, there is a level of dependence between the
parties, for example, the relationship between shareholders and top management (Bergh et al.,
2019). The relationship between the board and management is similar, where a vigilant board is
less culpable to threats and risk due to closing the information asymmetry gap (Bergh et al.,
2019).
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
17
Uncertainty and unobservable qualities are not the only antecedents to information
asymmetry. Structural barriers may be a cause where a vehicle does not exist to disseminate
information or trivial access to communicate and process information (Bergh et al., 2019).
Providing CISOs time in front of the board with ample time for explanation and questions may
be all that is needed to close the gap. Quite literally, allow the experts to explain the situation to
those that can provide the resources to reduce risks. Bergh et al. (2019) found that correctly
leveraging employees with specialized knowledge was not done because of structural barriers.
There may also be strategic or behavioral barriers whereby information is held back or pushed to
drive an agenda (Bergh et al., 2019).
Information asymmetry may not be bad for boards and may improve the effectiveness of
the board (Brennan et al., 2016). Brennan et al. (2016) called this the “information asymmetry
paradox” (p. 137), whereby the board must have a gap in knowledge of the operations of the
organization; otherwise, there would not be questions to ask at board meetings. Not asking
questions does not imply that boards may be ignorant but rather that organizational success
depends on passing and careful consideration of all information presented to the board (Brennen
et al., 2016). To gain the correct information, board members must be more involved in their
organization and seek out the information they need to serve their primary roles of providing
advice and monitoring the decisions made by the highest levels of management (Brennan et al.,
2016). The need to ask questions creates the independence paradox where the board depends on
management for necessary information. Brennan et al. (2016) recognized that there are calls for
boards to understand a business fully and the risks the business faces, but that specific
information is not necessarily easily communicated. The solution proposed by Brennan et al.
(2016) is that boards and management should embrace the information asymmetry paradox;
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
18
however, it is not solved with more information but rather by managers presenting to boards
information that is implicit and inaccessible as explicit information. In other words, speak in
terms the board understands, as it applies to the business, so they, as a collective board, can make
decisions, provide advice, and review the decisions of the management team.
The board must make decisions and execute sound direction; information is essential to
make said decisions. Bergh et al. (2019) found that parties must find the right partners that are
both willing and able to share information to reduce information asymmetry. Both parties must
be willing to receive information and provide ample information. The willingness to receive
information is an element of adult learning theory that can be applied here since many boards
members are not cybersecurity experts and will need to have topics explained (Merriam et al.,
2020). Another approach to resolving information asymmetry is through monitoring and
rewards, where a board will want to monitor top management to prevent concealment. However,
monitoring can be costly given the specialized cybersecurity knowledge (Bergh et al., 2019). The
language used to communicate can also be a factor. Rosenblum et al. (2020) found that explicit
language that was not politically correct can positively affect the audience, as the speaker is
viewed as more authentic and without an agenda when avoiding political correctness.
Authenticity can help build trust and the relationship with the board (Bergh et al., 2019).
Frank et al. (2019) found that providing information assurances helps to reduce
information asymmetry. Leveraging the assurances of others was perceived better than the
information provided by management. The assurances helped reduce information asymmetry
between management and investors and incentivized management to report truthfully (Frank et
al., 2019). The same principle would apply to board members as they represent the investors.
The assurances served as a tool for monitoring and verifying management decisions and actions
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
19
and reducing information asymmetry. Functionally, relaying the opinion of an auditor to
investors or the board regarding the effectiveness of cybersecurity controls helped with
understanding (Frank et al., 2019). The focus of the study by Frank et al. (2019) was on whether
shareholders would believe management regarding the state of cybersecurity had they had
previously disclosed a cybersecurity event. Frank et al. (2019) concluded that shareholders
believed management when an event had not occurred and that third-party assurance was needed
if an event had occurred (Blum, 2020).
When a cybersecurity event occurs, investment markets notice the response by
management (Havakhor et al., 2021). However, analysts and investors lack the technical skills to
understand the risks fully; however, they understand the implications of a cybersecurity incident.
The Securities and Exchange Commission has requirements regarding incident and breach
disclosure; however, there are no requirements around cybersecurity investment decisions. A
benefit to understanding security risks is closing the information asymmetry gaps, investing in
cybersecurity, and disclosing such incidents is resultant positive market reactions and reduced
capital costs (Havakhor et al., 2021).
Caremark
Gathering information and managing risks of an organization must be done at the whole
board level. The Caremark (1996) ruling clarified that directors must act in good faith for
director oversight liability which further meant that the board must ensure that a reasonable
reporting and information dissemination system exists. Stone (2006) took the Caremark (1996)
ruling further to say that in the event controls and information systems were in place, boards
should be involved because failure to monitor or review the operations introduced liability.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
20
Having a means to receive information that reduces information asymmetry is necessary to
protect and organization and the directors from direct liability.
Veasey and Holland (2021) discuss the idea of Duty of Care further with the 2019
Delaware Supreme Court case of Marchand v. Barnhill. In Marchand, a listeria outbreak resulted
in a large scale recall of ice cream, the only product produced by Blue Bell Creameries USA,
Inc. The outbreak resulted in injury and death of consumers along with layoffs, fines, reputations
damages, and production shutdowns. The court allowed the case to proceed under the Caremark
standard because of the lack of board involvement in critical organization operations due to lack
of a committee to oversee food safety, no process to discuss food safety, and there was no
requirement for management to report food safety to the board (Veasey & Holland, 2021). It is
trivial to draw lines to cybersecurity in with the referenced context. Nearly all businesses are
online and depend on technology for information transfer. Thus, following with the precedence,
all organizations must have at least a board committee to receive information regarding
cybersecurity risks, the must be a process to discuss the risks, and management needs to be
reporting risks to the board.
Technical Jargon versus Business Language
A challenge in reducing the information asymmetry is the language used by cybersecurity
experts when presenting to the executives and the board. Too often, tactical measures or metrics
are used to report to the board. Fitzgerald (2018) provides guidance for reporting to the board
with 39 suggestions, and not one is a technical metric. Fitzgerald (2018) specifically calls out
avoiding security jargon but emphasizes business relevant language and mainly speaking in
terms of money; however, that is one view.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
21
Consumers of information security metrics do not want to receive meaningless or detailed
technical data (B & Carr, 2018). Consumers of metrics and cybersecurity reports want to know
where they stand compared to competitors, the financial impacts, capability, threats and
vulnerabilities, impact to the user, and third-party impacts (B & Carr, 2018; Fitzgerald, 2018).
These specifics are in line with what Couce-Vieira et al. (2020) reported and further supported
by calls for better communications with the board in business terms (Al-Moshaigeh et al., 2019;
Anders, 2019; Gallagher et al., 2019; Islam et al., 2018; Rothrock et al., 2018; Shayo & Lin,
2019; Weill et al., 2019). The challenge with the statement of “business terms” is that it is not
clearly defined in the literature.
Blum (2020) stated that boards want to know about the risks in a company and use “terms
such as lost revenue, delayed product delivery, breach recovery costs, opportunity costs,
competitive impairment” (pp. 151-152). For example, there is a focus on the financial aspect for
delayed product delivery, which has a cost factor; however, other factors may be impacted,
including customer experience and reputation. Wright (2019) contends that accounting, pure
dollars and cents, is not the only language of business. The business needs to embrace a language
and terms that move the business forward versus a point in time statement. Ramu (2021)
discusses an approach to reviewing metrics and business terms that move the organization
forward. The use of key performance indicators is encouraged, including financial terms and
business process terminology (Ramu, 2021). Rowe (1998) contends that there is no language of
business and that accounting and marketing are simply filling a void. Killian (2010)
demonstrated that using only the vernacular of accounting as the language of business was lost
on the receivers because both sides did not fully understand the language. A financially stable
organization with cash reserves has the freedom to focus on its mission versus focusing on
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
22
EBITDA. The language of the business will depend on the business and where it is at that
moment.
CISO Reporting
Information asymmetry may be related to reporting structure. While the CISO may be a
management team member, they may not report to the CEO, and the ideal structure for reporting
remains unsettled (Karanja & Rosso, 2017; Shayo & Lin, 2019). When the CISO does not report
the CEO, from the top levels of the organization are further separated cybersecurity
management, where all areas of the business can be impacted (Karaja & Rosso, 2017). Karanja
and Rosso (2017) found that most new CISO roles report to the CEO; however, most report to
the CIO or another executive when replacing the CISO. The reason for the CISO reporting to the
CIO reporting structure may be due to the maturity of the organization (Marchewka 2019; as
cited in Fruhlinger 2019; Shayo & Lin, 2019), or it may be that due to the general, technical
nature of the role that the CIO best manages it. A reporting structure with the CISO under the
CIO may exacerbate the information asymmetry with the CEO and mask critical cybersecurity
issues (Karanja, 2017).
Additionally, the CISO reporting to the CIO may be a considerable error, given the
impact cybersecurity can have on a business. This relationship may also be overwhelming and
may create a conflict of interest for the CIO (Shayo & Lin, 2019). Many organizations still see
cybersecurity as a technical problem and may better be understood by a technical executive. The
regulations do not help separate technical deficiencies and risk either due to being focused solely
on technical controls instead of risk management (Karanja, 2017). The value proposition may
also be part of the challenge. Members of the C-Suite view the role of the CISO to be that of
protecting brand and data, or more simply, reputation and confidentiality (Shayo & Lin, 2019).
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
23
The need for the CISO to be a technologist, strategist, advisor, and guardian is one of the
causes of the struggles of the CISO position (Maynard et al., 2018; Shayo & Lin, 2019). The
need for deep understanding is not unfounded at the C-suite. Technical expertise in a functional
space is not uncommon and warranted to be a complimentary organization leader (Groysberg,
2014). The challenge with the CISO position is that it is a newer role, less than 30 years old, and
other executives do not have the technical background to close the gap. Also, the CISO has to
speak to their peers in the C-suite and their engineers to tactically effect change (Maynard et al.,
2018; Shayo & Lin, 2019). However, given the potential impacts to the business, cybersecurity is
a problem that should concern all staff, including the board (Shayo & Lin, 2019).
CISOs are often expert technologists with a myriad of backgrounds, but it is primarily the
technical expertise sought after (Hooper & McKissack, 2016). The desire for a technical expert
leads to communication challenges, especially for newly minted CISOs, as they do not have the
experience of communicating with other executives or the board. Hooper and McKissack (2016)
point out that the technical requirements are overwhelmingly sought after with disregard for the
ability to communicate in many circumstances. A technically focused recruiting philosophy is
where the cycle continues, and the need for CISOs to have a better means to communicate as
51% of CISOs reported that they were not sure their metrics adequately conveyed the
effectiveness of the security risk management efforts (Hooper & McKissack, 2016).
Shayo and Lin (2019) researched how the CISO reporting was determined and the
reasoning behind that decision. Through analysis of interviews of 36 past CISOs and 3 CEOs,
four propositions were made by Shayo and Lin (2019):
1. CISOs that think strategically and can apply that strategic mentality by incorporating
security into the operating environment are placed at a higher level in the organization.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
24
2. A CISO needs to manage the perceptions of the CEO by demonstrating an understanding
of the business and communicating how they will lead cybersecurity to be placed higher
in the organization.
3. A CISO will report the CIO if they do not learn to speak the language of the business and
only demonstrate technical abilities.
4. A CISO needs to demonstrate effective cybersecurity leadership by providing peace of
mind to stakeholders and showing tangible business outcomes for cybersecurity
investments to earn a seat at the table.
These four propositions support the need for a better way to communicate with
executives and the board for better success for the CISO and better organizational outcomes.
Improved organizational outcomes can be through lowering costs, product innovation, business
growth through efficiencies, or controlling costs (Karanja, 2017).
Trust
Trust has been found to be a vital part of business (Kohlhoffer-Mizser, 2019). To
establish trust, Kohlhoffer-Mizser (2019) defines trust as an equation with the combination of
credibility, reliability, intimacy, and self-orientation, as seen in (1).
𝑇𝑟𝑢𝑠𝑡 = Credibility + Reliability + Initimacy
Self Orientation
(1)
Increasing the factors in the numerator and reducing the focus on individual goals, the
denominator increases trust. The relationship between people established through the trust
equation is critical for achieving trust and security (Nurse et al., 2011). The trust equation ties
into information asymmetry as a relationship between information asymmetry and trust have
been found (Nestle et al., 2019). Nestle et al. (2019) found that information asymmetry stifles a
culture of innovation and that trust positively affects an open innovation culture. When a culture
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
25
of innovation exists, collaboration may happen, allowing a business to move forward rather than
stagnate.
Trust has been found to improve decision making because the information flow increases
and lowers transaction costs (Sriram, 2005). When trust exists, information asymmetry is
reduced through the increased information flow. More information moving between the parties
reduces the transaction cost in terms of time and money through better and faster decision
making (Sriram, 2005). To capitalize on these reduced costs, the receiver must trust the source;
otherwise, they are not likely to accurately perceive the risks, resulting in an incorrect estimation
of the risk (Nurse et al., 2011).
Affect Heuristic
Failure to communicate risks effectively results in executives and boards making
inappropriate risks decisions (Hooper & McKissack, 2016). A heuristic is one way people make
decisions through their mental shortcuts such as feelings or emotions. The affect heuristic is
when a person selects courses of action using emotions influenced by the stimulus of the
environment, experience, and reactions (Finucane et al., 2000; Gasper et al., 2019). Affect serves
as a source of information impacting the decision or judgment being made, and these feelings are
impacted by prior experiences (Peters et al., 2006). Affect also reduces mental complexity as it is
simpler to compare good and bad feelings than complex thoughts (Peters et al., 2006).
Furthermore, Peters et al. (2006) found that affect influences information processing and
behavior where a negative or positive mood can motivate their behavior and decision making.
Van Schaik et al. (2020) expanded on the study by Finucane et al. (2000), applied it specifically
to cybersecurity, and found that the affect heuristic is applicable in the cybersecurity space. The
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
26
applicability means that emotions come into play when the board or executives make poor
decisions without good information.
Wu, Zeng, and Wu (2018) found that poor decision making occurred when applied to
known and unknown risks, whereby participants use the affect heuristic rather than rational
calculation in a flood scenario. The use of emotion to react to risk situations is not uncommon
but biological as a fight or flight response (Joseph et al., 2020). Machynska and Boiko (2020)
remind that adult learners have a wealth of life experience and will draw a conclusion based on
their experiences and the experiences and comments of others. Bridging past experiences can
exacerbate the affect heuristic due to the lack of content knowledge which increases the potential
for incorrect conclusions to apply information to a current problem (Hooper & McKissack, 2016;
Machynska & Boiko, 2020).
The presentation of the risks is critical in reducing the affect heuristic. One technique
could be to present the risks in terms that the executives and board will understand. Another
technique presents the likelihood as either a probability or frequency (Wu, Zeng, & Wu, 2018).
Wu, Zeng, and Wu (2018) found that presenting risks in a 1-in-X format can be perceived as
higher than when presented as a probability. Another factor in the presentation is the relevancy
of the risk impact. An adverse risk that seems to impact an individual is perceived higher than
when the risks impact another (Wu, Zeng, & Wu, 2018).
Researchers interested in affect have often asked if a neutral affective state exists, which
is different from numbness. Numbness is closer to shock or a coping mechanism (Gasper et al.,
2019). Several beliefs around neutral affective states exist in the research community:
1. People always have feelings; therefore, neutral affect does not exist
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
27
2. If there is any valence state, the feeling of pleasantness or unpleasantness, then the
individual is not neutral. Moreover, neutrality is not a state because affect by its
nature must be positive or negative.
3. The feeling of being neutral is not part of the vernacular in the English language;
English speakers tend not to respond with neutral as an expression of feelings.
4. Neutral affect is not as prevalent in Western cultures as in Eastern cultures.
5. Neutral states of affect signal whether attention to a stimulus is needed (Gasper et al.,
2019).
The last belief has the most significant impact on the research effort as the stimulus is part of the
problem the research effort seeks to enhance. Gasper et al. (2019) found that neutral affect might
signal that presented information is immediately met with two states, self relevance, and
sufficient understanding. Attention and an affective response result when the stimulus, such as
cybersecurity, is relevant and not understood. When the topic is not relevant or is sufficiently
understood, there is no affective reaction as attention is given to the stimulus (Gasper et al.,
2019). The reaction to an affective stimulus speaks to the need to deliver communications in
terms executives and board members understand the language of the business, to close the
information asymmetry gap, and to make it relevant to them.
Incident and Breach Reporting
Related to affect are the general emotional responses to incident and breach reporting
when it occurs (Nam, 2019). Anecdotally, security professionals report that each time there is a
significant breach, leadership from the organization asks about preparations to ensure the
organization is not the next victim. Budimir et al. (2021) looked at the emotional response of 902
individuals in a cybersecurity breach scenario due to attacks coming at a higher frequency and
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
28
appearing to target specific companies and individual users. Essentially, cybersecurity is starting
to feel more personal, and it is taking a psychological toll on people (Budimir et al., 2021).
People with more intense emotional reactions, females and younger participants, and increased
aggressive reactions, males, tend to remain connected to a cybersecurity situation and the
negative implications (Budimir et al., 2021). The challenge with these groups is that the
experience is significantly emotional and does not allow them to react in a manner that elicits
resolution to the cause of the problem (Budimir et al., 2021). An emotional response can cause
problems in the boardroom and at the executive level if the underlying causes of a cybersecurity
event are incorrect and the focus is simply the vector. For example, if an individual clicked a link
that caused an incident, the individual may be retrained. While clicking a malicious link may be
a factor for the incident, the underlying cause is a lack of investment in defense in depth.
Fordyce et al. (2018) researched the fear response of changing passwords. Selecting a
new password was investigated along with the affect and stress responses and cognitive effort to
perform a task. While Fordyce et al. (2018) elicited a fear and stress response to stimuli, there
was no change in the user response. Positive factors on password choice were cognitive load and
whether a breach incident occurred. When a breach incident occurred, the respondents chose a
better password which indicates that a response exists to breach notification and that people are
willing to take action on that knowledge (Fordyce et al., 2018).
Huang and Madnick (2020) shared two critical responses to limit the negative results
from a data breach. The first recommendation is to admit to the breach occurring and discuss
cybersecurity measures already in place. The second point is to make investments in
cybersecurity. Huang and Madnick (2020) illustrate the second point with the doubling of the
cybersecurity investment by JP Morgan Chase following a breach. A well planned response and
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
29
a plan for a cybersecurity event can be an opportunity for a company versus a liability (Huang &
Madnick, 2020). Leveraging the points from Huang and Madnick (2020) are drivers for the
research effort to ensure organizations are prepared and have a solid understanding of the risks
present in an organization.
Reducing Heuristics
Renaud et al. (2021) recognize that users must be more aware of connected devices with
an ever more connected world. With these connected devices, society, as a whole, must deal with
the risks of cyber criminals targeting these devices. Even though these clients of devices
outnumber the cyber criminals and the cybersecurity experts combined, the client voices are
often drowned out. Renaud et al. (2021) contend that the end-users should be heard in a natural
conversation flow to limit social desirability bias, the inclination to underreport socially
objectionable thoughts and behaviors, and overstate more desirable aspects (Latkin et al., 2017).
How people experience cybersecurity was the aim of Renaud et al. (2021) to understand the
actual perceptions of the end-user based on their own experiences. A challenge in a study on
perception is that all perceptions, such as the perceptions of cybersecurity, have an affective
reaction (Renaud et al., 2021). Perceptions influence attitudes towards a topic, and the affective
response must be understood to deliver communications regarding cybersecurity effectively.
Renaud et al. (2021) initially measured the response of the participant through an affective
response measurement tool, sad to happy scale, and had indeterminate results. The differences
between the categories were not significant.
A second test in the study confirmed several issues regarding cybersecurity, including (a)
there is a general lack of awareness or knowledge around cybersecurity; (b) end-users want to
know how to behave to be safe; (c) a cyber attack can cause some level of harm; (d)
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
30
cybersecurity is a shared responsibility; (e) there exists a need to involve law enforcement; and
(f) there is some trade-off between usability and security. In a final test in the research, Renaud
et al. (2021) found that the mere mention of cybersecurity elicited negative emotions, and it is
hard to measure emotional response without changing it. These findings will help to form the
presentation of the research effort to limit negative responses.
Proactive cybersecurity capabilities are necessary to reduce the impact on profits.
Training, such as tabletop exercises, has shown to be effective in developing skills to reduce the
impact of a cybersecurity event (Jalali, 2019). The reactions of experienced and inexperienced
managers are improved by reducing the use of emotions when making cybersecurity decisions
through proactive training (Jalali, 2019). Using fear based situations negatively affects decision-
making and should not be used to reduce the affect heuristic or force people into a decision (Van
Schaik et al., 2019).
Risk Perception
Risk perception is a driver of taking action (De Smidt & Botzen, 2018). De Smidt and
Botzen (2018) surveyed 1,891 professional decision makers and found that most were certain a
cyber attack was possible. However, 39.4% do not think they are a target, implying that most
decision makers think an attack will happen, but not to them. Further evaluation found that risk
awareness increased when the matter was discussed and decreased when risk discussions did not
occur. A change in risk awareness may result from availability heuristics and recency biases (De
Smidt & Botzen, 2018). Other influences of cyber risk beyond discussions with colleagues are
media reports and personal experience. Participants with a high degree of trust in the ability of
the organization to protect essential data were more likely to rate the possibility of a successful
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
31
attack as lower (De Smidt & Botzen, 2018). The study did not discuss the method of building
trust.
To protect their organizations, security professionals must work to improve the risk
perception and security posture of the organizations through threat modeling. Stevens et al.
(2018) utilized formalized threat modeling, the “structured approach to assessing risks and
developing plans to mitigate those risks” (Stevens et al., 2018, p. 622), to improve the self-
efficacy of staff and material benefits within the enterprise. During the study, as part of the
training, experiential learning theory was used to connect the learners to the material (Stevens et
al., 2018). Connecting the learning to the needs of the learner and explaining the purpose, or the
why, are tenants of adult learning (Merriam et al., 2020).
Immediately post training, the participants self-evaluated themselves as able to identify
and evaluate threats quickly and accurately. To evaluate the actual efficacy, Stevens et al. (2018)
had trained evaluators check the work of the participants and found that 22 of the 25 results were
accurate to the participants' responsibilities. The evaluators also found that the action plans were
sound. The researchers did knowledge checks at 30 days and 120 days post training. Stevens et
al. (2018) found that at the 120 day mark, the participant organization had implemented eight of
the new controls recommended through the threat modeling program, including: securing
accounts, protecting physical network assets, implementing a bug bounty program, end-point
detect and response platforms, protecting legacy systems, limiting data corruption, and reducing
human error. Several lessons learned and of interest to the research are that the participants
reported better communication experiences with leadership following the threat modeling
training. By implementing the recommendations proposed by the team, Stevens et al. (2018)
observed positive experiences, which is in line with the observations of Shreeve, Hallett,
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
32
Edwards, Anthonysamy, et al. (2021) that better discussions around risk yielded better results
during the simulation.
Parkin et al. (2021) identified that the perceptions of cybersecurity at the executive level
impact decision making, an under researched area. Much of the research in cybersecurity risk
perception was at lower levels in the organization, with security managers, and not focused on
executive level decision makers (Parkin et al., 2021). Decision makers may have errors in
judgment, often due to inadequate or incorrect risk perception, leading to an unbalanced response
resulting in an incorrect allocation of resources (Parkin et al., 2021). Errors in judgment
regarding risk may be due to affect, lack of experience, or the presentation (Al-Moshaigeh et al.,
2019; Anders, 2019; Gallagher et al., 2019; Islam et al., 2018; Kott & Arnold, 2013; Parkin et
al., 2021; Rothrock et al., 2018, Weill et al., 2019).
The scenarios were presented in narrative format and escalated in subsequent rounds.
Parkin et al. (2021) asked the final 19 respondents a series of questions regarding the scenarios,
including rating the impact, selection, ranking of the business risks present in the scenario, and
risk ownership (Parkin et al., 2021). Executive decision makers focused on the resources and
strategy rather than risk mitigation, which speaks to the level of risk mitigation. However, with
the allocation of resources sitting at the executive level, the risk perception must be accurate. The
accuracy of risk perception begs what techniques are needed to convey the risks to allow for
adequate evaluation and understanding. The presentation of the risks is what was missing from
Parkin et al. (2021). The research effort seeks to close the gap of presenting the risk such that
risk perceptions can elicit a proper response.
Nam (2019) investigated threat perception and the perceived preparedness for
cybersecurity and the determinants that influence these two perceptions. Drivers in cyber threat
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
33
perception at not necessarily fact based or through evidence but rather psychological reactions or
affect (Nam, 2019). Some of these reactions may be that the fear of random cyber victimization
correlates with a fear some people have of technology which may be unjustified or exaggerated.
However, having experienced a security breach increases the risk perception and decreases
perceived trust in cybersecurity measures (Nam, 2019). The lack of trust following an incident
may be a roadblock to a sitting CISO; therefore, the trust must be established before an incident
happens. A means to improve the perception of threats is through awareness. Awareness raises
knowledge and the understanding of a threat that can take advantage of vulnerabilities in the
technology or through people via social engineering. The study results showed that the main
drivers of risk perception and cyber awareness are cognitive or experience factors and
psychological or affect factors. Considering these findings is needed in the research effort as the
experiences of the participants will drive their perceptions regardless of the presentation of
information.
Decision Making
Decision making, when broken down, is the process of choosing between two options
(Buelow et al., 2019). The research effort suggests that better communications reduce the
information asymmetry gap and the affect heuristic, and boards and executives make better
decisions. In simpler terms, the gut reaction is limited, as Buelow et al. (2019) sought in their
study. Buelow et al. (2019) sought to see if they could influence the gut reaction of the
participants. The study consisted of multiple tests using the Iowa Gambling Task, where
participants select cards from four decks with different risks and rewards. In the first test,
participants were challenged with making risk decisions while completing another memory task.
Buelow et al. (2019) found that the participants in the first group made slower and riskier
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
34
decisions. The second test took the results from the first and made adjustments based on the
memory capabilities of the participants. Buelow et al. (2019) found similar results of test one in
test two. In the third test, the researchers evaluated making fast decisions versus making the best
possible decision, resulting in an obvious outcome; with more time, the participants made a more
favorable decision. The decision was not necessarily better than the other group, in any case. The
fourth test manipulated the intertrial time and found no significant differences between
participants. The research results from Buelow et al. (2019) were that decision making varies and
that decision makers carefully consider instructions when given decision making tasks.
The implications of Buelow et al. (2019) on the research effort are that heuristics do
impact decision making, with some people making better quick decisions while other people
need additional time. The study can use these findings to influence the vignettes and, perhaps,
the amount of time allowed to answer the questions following the vignettes. The findings from
Buelow et al. (2019) indicate that participants made the better decision with more time, and with
the quick decision case, participants discovered the better path through a volume of trials. Due to
the limited number of trials with two vignettes, adjusting or controlling for time did work for the
research effort.
Another factor to consider regarding the decision making process is that executives and
board members are not making these decisions for themselves, but on behalf of the organization
they are charged with governing and managing. In general, people making risk based decisions
for others does not differ significantly from their own risk decisions (Batteux et al., 2019;
Polman & Wu, 2019). However, Batteux et al. (2019) found differences depending on the frame,
gain or loss, and decision. The study reviewed three domains: financial, medical, and
interpersonal. The financial domain findings are the most analogous to the research effort given
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
35
the cybersecurity implications on an organization. Batteux et al. (2019) found that the self-other
differences regarding the gain frame were marginally significant where participants took more
risk for others. Meaning if a gain was probable, the participants took more risk. From the
opposite lens, if there was a possibility of a loss, no significant difference was found in the self-
other risk taking difference (Batteux et al., 2019). The risk aversion levels for board members
and executives are a factor to be considered based on the risk appetite of the organization. The
risk aversion variable is a challenge to control for in the research study. However, it is something
to consider when onboarding new executives and board members.
How board members and executives make decisions and set priorities is essential as the
decisions vary based on role. Board members are setting strategic priorities, and managers
allocate resources to serve the requirements of the organization (Shreeve, Hallett, Edwards,
Ramokapane, et al., 2020). Cybersecurity is not the only priority with these stakeholders due to
many other organizational priorities and operations decisions. Shreeve, Hallett, Edwards,
Ramokapane, et al. (2020) leveraged a game, Decisions & Disruptions, to be used in a study to
determine the effect of background on participant performance, the effect of diversity of
expertise, and if patterns exist in the decision making process around cybersecurity risks.
Throughout the various games played, participant background did not significantly impact
performance, nor did the diversity of expertise of the participants (Shreeve, Hallett, Edwards,
Ramokapane, et al., 2020). However, cybersecurity specialists did go bust in the simulation,
bankrupting the fictional company less often, but it came at the cost of more minor, less
damaging attacks more frequently. Each team made similar decisions regarding cybersecurity
risks, whereby they purchased the items they were most familiar with despite the risks presented
(Shreeve, Hallett, Edwards, Ramokapane, et al., 2020). Shreeve, Hallett, Edwards, Ramokapane,
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
36
et al. (2020) concluded that risk decision making needs a more systemic approach to decision
making as it applies to complex decisions like cybersecurity. The researchers also found that
context was more important than other variables, and having a broader view with tactical input
was important (Shreeve, Hallett, Edwards, Ramokapane, et al., 2020). Understanding
vulnerabilities and threats were often confusing between participants, and gauging these two
concepts with a risk lens could benefit organizations.
Shreeve, Hallett, Edwards, Anthonysamy, et al. (2021) sought to determine the risk
thinking and decision making processes by different demographics related to cybersecurity. Risk
falls into four categories: (a) known certainty, (b) known uncertainty, (c) unknowable
uncertainty, and (d) unknown uncertainty. Most cybersecurity decisions fall into the unknowable
uncertainty and unknown uncertainty categories, meaning it is difficult to account for every
situation and every consequence related to cybersecurity (Shreeve, Hallett, Edwards,
Anthonysamy, et al., 2021). The qualitative analysis found that the asset risk discussions were
less than 1% of the discussion. Teams discussed vulnerabilities of the organization and the
impact or threats at a much higher rate. During the study, which was game based, the risk was
discussed early but reduced when reacting to attacks. Complex thinking, failing to consider past
decisions, and other ideas around risk were not used often. Instead, simple thinking was the most
often structured around risk decisions. The last observation was that teams tended to identify
risks first versus considering the opportunity costs and impact on existing risks.
Shreeve, Hallett, Edwards, Anthonysamy, et al. (2021) call out that the tools and methods
for supporting risk decisions are varied, and they do not advocate for one or the other but
reviewed practical uses. Furthermore, as the research effort problem states, communication
around cybersecurity risks is a critical component in risk decision making. Shreeve, Hallett,
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
37
Edwards, Anthonysamy, et al. (2021) found that their participants discussed risks, but none used
numerical metrics. The background literature supports using numerical metrics, but that does not
always resonate with specific groups. Delivery of risk can impact risk perception. While Stevens
et al. (2018) found that risk perception can be affected, Shreeve, Hallett, Edwards,
Anthonysamy, et al. (2021) found that risk perception is not the aim.
The results of Shreeve, Hallett, Edwards, Anthonysamy, et al. (2021) indicate that there
are many ways to think about risks, particularly in the field of cybersecurity, since decision
makers are continually walking the line between the unknown and unknowable. Thinking about
risk and applying it to a broader scale, and not limiting thinking to the moment are needed.
Shreeve, Hallett, Edwards, Anthonysamy, et al. (2021) found that even the best performing
teams did not expand beyond simple risk thinking; however, the best performing team did have a
consistent approach to their risk thinking.
Ferri et al. (2021) looked at how a CEO’s perception of risk influenced technology
decisions by extending the technology assessment model to small and medium sized businesses.
Specifically, Ferri et al. (2021) reviewed the implementation of cloud technologies. While cloud
computing is not cybersecurity, some cybersecurity products and service providers are cloud
based. The connection of the research by Ferri et al. (2021) and the research effort is that the
perceived risks balanced with the perceived usefulness are critical factors when making decisions
regarding technology adoption. Showing that risks are a significant factor in CEO decision
making is key for service providers and technology developers. Explaining the risks to the CEOs
to fully understand and assess the risks is a gap in the literature. While there are studies that
evaluate operational, legal, technical, and other risks, the introduction of perceived risks is novel
(Ferri et al., 2021). The inclusion of perceived risks is in line with the research of Shreeve,
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
38
Hallett, Edwards, Anthonysamy, et al. (2021) and attempting to understand the unknown and
unknowable. Risk perception negatively affected technology adoption and was only adopted
when the potential usefulness outweighed the risks (Ferri et al., 2021). The finding of risk and
usefulness impacting a decision may be obvious, but the perceived risk is the differentiator. In an
online world, choices and decisions are based on risk perception rather than traditional risk
indicators (Ferri et al., 2021). Technical and operational risks have the most significant impact
on overall risk perception, and legal risk has a limited positive effect on risk perception (Ferri et
al., 2021). When formulating a model to explain risks and influence risk perception, many
factors must come into play, as suggested by Marchewka (2018; as cited in Fitzgerald, 2018).
Risk Scoring
Evaluating risks in an organization is a challenge due to the need for data to build models
and the desire to compare observed data against past results (Amin, 2019). However, the data to
build quantitative models in information security is lacking, and the half-life of cybersecurity
data is short due to the constant changes in the industry (Shetty et al., 2018). Shetty et al. (2018)
found that underwriters from the insurance industry lack sufficient data regarding cybersecurity
risk and the direct connection between cybersecurity incidents and financial losses are not well
established. Unlike property and casualty, which has been around for hundreds of years, along
with data for property and casualty, cybersecurity as a profession and major field has only been
around for 26 years as a profession; based on the naming of Steve Katz as the first ever CISO
following the Citigroup breach of 1995. For example, many quantitative methods, FAIR,
Nexpose, and the methods outlined by Hubbard and Seiersen (2016), rely on trained estimations
using wide bands of possibilities to develop reasonable estimates (Roldán-Molina, 2017;
Wangen et al., 2017). Risk matrices and qualitative methods of assessing risks are not
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
39
necessarily any better and, at times, are worse than random guessing, and doing nothing may be
better (Cox, 2008).
In the risk assessment community, there are factions on the qualitative side and those on
the quantitative side (Wangen et al., 2017). The better solution may depend on the specific
situation. Quantitative assessment may serve better when a purely financial output is needed
(Wangen et al., 2017). A qualitative assessment may be needed to quickly identify the immediate
issues (Cox, 2008). A combined approach may be appropriate after determining what does and
does not need immediate attention (Cox, 2008).
Shetty et al. (2018) proposed that a new way to calculate cyber risk is needed to reduce
information disadvantages and developed the Cyber Risk Scoring and Mitigation (CRISM) tool
for the insurance industry to monitor the cybersecurity measures an organization implements and
maintains. The CRISM tool takes various organization inputs and outside information regarding
vulnerabilities. Shetty et al. (2018) suggest that the CRISM score could be used to prioritize
which cyber risks to mitigate and prioritize. Part of the CRISM tool is the ability to continually
monitor a program, which is a challenge because of the number of resources needed to sustain
the necessary level of detail (Kott & Arnold, 2013).
Shetty et al. (2018) designed CRISM to address the following topics as identified by the
National Institute of Standards and Technology as requirements for a cyber risk assessment tool;
(a) automatic discovery of vulnerabilities; (b) Lateral propagation analysis; (c) security metrics;
(d) prioritized mitigation plan, and (e) compliance with a cybersecurity framework. Several tools
in the industry were evaluated but did not address all of these requirements. CRISM is not a
singular tool; instead, it is a culmination of several tools to generate a score.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
40
The score generated can be used to prioritize the risks; however, it does it by ranking the
vulnerabilities in the environment (Shetty et al., 2018) but is lacking as addressing the
vulnerabilities may be cost prohibitive. Another approach to prioritization may need to include
the resources, time, people, and money to mitigate the vulnerability. These factors combined
with the risk score may develop a better prioritization. There are opportunities for research
identified by Shetty et al. (2018), as expected; however, there was no mention of the ability of
boards or insurers in their study to understand the results of the process. The ability of a recipient
of a risk score to understand and act on the information is the core of this study.
Cerin (2020), in line with the previous discussion of Shetty et al. (2018) and the
measurement challenges, found that continually measuring cyber risks in the environment is a
challenge for 46% of respondents of a survey of 340 IT and Governance, Risk, and Compliance
professionals. The survey also found that 35% of respondents continue to be challenged by
executives and boards' understanding of cyber risk (Cerin, 2020). With the challenges in
measuring cybersecurity risk and modeling that risk, it is no wonder that boards have challenges
with understanding the risks. The lack of understanding is a driver for this research effort.
Aggregation
The concept of aggregating risk metrics into an aggregated risk score is not foreign to
cybersecurity (Bodin, Gordon, & Loeb, 2005, 2008). Similarly, the idea of an aggregated risk
score is not lost in commerce and is common in the daily lives of most people through a credit
score calculation (Keskin et al., 2021). Aggregated scores are a tool to assist a decision maker
rather than replace a decision maker (Bodin, Gordon, & Loeb, 2005). Similarly, an underwriter
uses a credit score when a borrower applies for a home loan, whereby the underwriter considers
the credit score of an applicant as part of the complete application. Bodin, Gordon, and Loeb
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
41
(2005) explain that the aggregated score brings together the various factors that feed into making
a risk decision within the cybersecurity space. Risk decisions are complex and have many
variables (Bodin, Gordon, & Loeb, 2008). A limitation of both methods proposed by Bodin,
Gordon, and Loeb (2005,2008) is that they are financially focused. As discussed, Wright (2019)
contends that accounting or finance is not the only language of business. Instead, the language of
business is how the business operates and the factors that influence the business. Accounting or
dollars impacts all businesses, but it is not the sole factor (Wright, 2019). Due to the lack of
specific business language, the research study used the weighting process proposed by
Marchewka (2018; as cited in Fitzgerald, 2018).
In a similar vein, Keskin et al. (2021) explored several means to perform risk scoring in
the cybersecurity space as applied to third party risk management. Managing the different
aspects of business can be difficult, and more organizations rely upon third party vendors to
provide services. These third party vendors can introduce risk to the environment as they hold
company information outside of the direct control of the originating company (Keskin et al.,
2021). Following Target, Home Depot, RSA, and SolarWinds breaches, companies and
insurance companies have become reliant on the risk scores from various processes to make
better decisions on third party partners. A challenge with the different providers of third party
risk scoring is the proprietary nature of scoring methods and the differing interpretations that can
result from the different methods. Another challenge is the lack of consistency and reliability of
these risk scoring processes. The lack of consistency may send incorrect signals for leadership to
take appropriate action (Keskin et al., 2021). The research effort intends to use six categories for
explaining the risk posture of an organization rather than a single score, which is a weakness of
other methods for evaluating cybersecurity risk.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
42
Finding the correct variables to describe risk can be a challenge, as found by Djeundje et
al. (2021). Credit risk evaluation has been around for decades, and the formulas to calculate
credit risk continue to be tweaked. The means and methods to determine cybersecurity risk have
been challenging insurance companies, actuaries, and organizations for the past 25 years since
the world has become more interconnected (Carfora et al., 2019). The purpose of credit scoring
methods is not dissimilar to the needs of cybersecurity professionals. The aggregated scores
allow those receiving the results to decide the economic impact of the decision made (Carfora et
al., 2019). A significant difference between the cyber world and the credit industry is the ability
of data for actuarial calculations (Carfora et al., 2019; Djeundje et al., 2021). Djeundje et al.
(2021) propose additional details and variables influencing credit worthiness and evaluations.
With the idea of influencing an established model, new ideas and methods to evaluate
cybersecurity risk should not be discounted and embraced.
Eling (2020) reviewed the literature to establish the prominence of cybersecurity risk
from a business and actuarial point of view and found little published work. Of the articles
found, several were either general or focused on worst case scenarios. Eling (2020) found that
while cybersecurity incidents affect the stock price, there were other costs such as reputational
damages within the literature. Reputation is one of the suggested aggregated metrics by
Marchewka (2018; as cited in Fitzgerald, 2018). Shareholder wealth, overall, was negatively
impacted when companies sustained a breach; however, the impact was less when the board paid
more attention to risk management before the attack (Eling, 2020). Having the board understand
the risks is critical. Throughout the literature, the challenges of building models are because of
the lack of data as a consistent theme. Determining the likelihood and impact of cybersecurity
risks is often an informed guess, but the best guess and the effectiveness of countermeasures are
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
43
similar partly since cybersecurity risk is human behavior risk (Eling, 2020). Finding a means to
understand the risks in an environment through a reasonable and understandable process is vital
to managing the risks in an environment and is the purpose of this research effort.
Conclusion and Summary of Findings
The literature review covered relevant factors that affect cybersecurity risk perception
and the psychological response of individuals, including executives and board members, on
cybersecurity information. Throughout the literature, the general reference to speaking in
business terms is never clearly defined, which presents a challenge for repeatable
implementation (Al-Moshaigeh et al., 2019; Anders, 2019; Gallagher et al., 2019; Islam et al.,
2018; Rothrock et al., 2018; Shayo & Lin, 2019; Weill et al., 2019). However, a couple of
sources stated what business terms might not be (Wright, 2019) and that those with an MBA had
an advantage (Karanja, 2017). Nonetheless, these descriptions are still vague and have little
description of how to communicate or what methods or styles worked.
Overcoming the information asymmetry gap in the boardroom will help understand the
threat environment (Nam, 2019). Closing the gap through clear communications, directors can
meet the care, loyalty, and fiduciary duties as required by Caremark and Stone (In re Caremark
Int'l Inc. Derivative Litigation, 1996; Stone v. Ritter, 2006). Closing the gap is not easy because
to do so will require overcoming inherent negative responses to cybersecurity, potentially
strained relationships, and challenges with risk scoring (Amin; 2019; Karanja, 2017; Nam, 2019;
Renaud et al., 2019; Shetty et al., 2018).
Chapter three outlines how a quantitative methodology will evaluate cybersecurity risk
perception by addressing the factors causing the information asymmetry gap summarizing the
research questions. Chapter three presents the purpose of the study, the population, and the
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
44
sampling methods. Also discussed is the study methodology to collect and evaluate the data,
including participant recruitment, data collection techniques, and other potential challenges that
influenced study validity.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
45
Chapter 3: Methodology
The purpose of this quantitative study is to statistically assess if the use of aggregated
cybersecurity risk metrics impacts the overall perception of risk at the board member and
executive level. The research effort statistically evaluated how risk perception differs when
aggregated cybersecurity risk metrics are used between cybersecurity practitioners and non-
cybersecurity leaders of the board and executive teams. Following a thorough review of the
literature, it is apparent that communication techniques are lacking between CISOs and those
accountable for securing their organizations, executives, and board members. Cybersecurity is a
global issue, and it is imperative to communicate cybersecurity risks effectively (Bassett et al.,
2020; Blum, 2020).
Research Design
The selected research design of the study is a quantitative approach. While some overlap
exists in the functions of a quantitative, qualitative, and mixed methods approach, a quantitative
approach allowed for the review of the relationships of the variables (Creswell & Creswell,
2018). Understanding and measuring risk perception and its influence on decisions have been a
challenge since the 1960s and 1970s (Wilson et al., 2018). The challenges with understanding
risk perception lie with the idea of risk response being emotional (Wilson et al., 2018). However,
Walpole and Wilson (2021) developed a valid and reliable instrument to quantitatively measure
risk perception across situations with different hazards and populations.
The study used a survey design leveraging cross sectional survey research to draw
inferences between risk perception and the method of presentation (Creswell & Creswell, 2018).
The standard approach of presenting risk metrics in a tactical form served as the basis, and the
aggregated metrics presentation format served as the treatment. The independent variable was
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
46
the communication method, tactical or aggregated metrics, and the dependent variable was the
risk perception. With this research design, evaluation of the first research question and first
hypothesis occurred. The descriptive questions from the survey and the risk perception results
allowed for the evaluation of the responses for the second research question.
A pure experimental design does not fit this research effort due to the lack of time as an
element of the study. Also, there is no intent to have a control group and a treatment group as
expected with an experimental design (Creswell & Creswell, 2018). The survey design is a more
robust approach to answering the research questions. Limiting the questions was necessary, as
found by de Smidt and Botzen (2018), due to the busy schedules of the respondents. To obtain
the large number of necessary responses, the required number of questions must be limited. The
weakness of this approach limits the number of relationships to be studied. A strength of the
survey design is the low cost approach to reach a large number of respondents from the
population base to infer correlation about the use of aggregated metrics. The study used an
internet survey aligned with the low cost theme allowing for quick data collection instead of
interview based approaches.
Research Questions
The study addressed the following research questions:
Research Question 1: What is the relationship between cybersecurity risk perception and
cybersecurity risk metrics presentation format with board members and executive level
leadership?
Research Question 2: What is the relationship between cybersecurity risk perception and
cybersecurity risk metrics presentation format with cybersecurity practitioners (i.e., CISOs)?
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
47
Operational Definitions of Variables
For the first hypothesis test, the independent variable (IV) is defined as the cybersecurity
risk presentation format. For the first hypothesis test, the dependent variable (DV) is defined as
the cybersecurity risk perception of board members and executive leadership and is measured by
the survey instrument developed by Walpole and Wilson (2021) using a Likert scale. The
dependent variable is an ordinal level of measurement with more than four categories; however,
the DV was analyzed at the interval measurement scale (Boone & Boone, 2012), and the variable
type is continuous. A test for normality was conducted using KS and SW tests to determine the
most appropriate method to test the hypothesis. If normality was found, then the DV satisfies the
assumptions of the two tailed t-test because it is continuous, population variance is equal,
independence is maintained, and the sample is random. If the results failed the test for normal
distribution, then the Wilcoxon Signed-Rank (WSR) test was used to test the hypothesis.
For the second hypothesis test, the IV is defined as cybersecurity risk presentation
format. For the second hypothesis test, the DV is defined as the cybersecurity risk perception of
cybersecurity practitioners and is measured by the survey instrument developed by Walpole and
Wilson (2021) using a Likert scale. The dependent variable is an ordinal level of measurement
with more than four categories; however, the DV was analyzed at the interval measurement
scale, and the variable type is continuous (Boone & Boone, 2012). A test for normality was
conducted using KS and SW tests to determine the most appropriate method to test the
hypothesis. If normality was found, then the DV satisfies the assumptions of the two tailed t-test
because it is continuous, population variance is equal, independence is maintained, and the
sample is random. If the results fail the test for normality, then the WSR test was used to test the
hypothesis.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
48
Hypotheses
The study tested the following hypotheses:
H01: There is no difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with board members and executives.
Ha1: There is a difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with board members and executives.
H02: There is no difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with cybersecurity practitioners.
Ha2: There is a difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with cybersecurity practitioners.
Population and Sample
The research effort surveyed board members, executive leadership, and the senior most
cybersecurity leaders from multiple organizations with job titles ranging from Manager to CISO,
targeting individuals with a given responsibility for cybersecurity in their organization.
Participants were primarily sourced from the Greater Chicagoland area; however, some
respondents were from other metro areas due to their continued membership in groups affiliated
with the Greater Chicagoland area. With cybersecurity affecting every industry and every sized
organization, industry and organization size were not qualifying factors (Ponemon, 2020). Due to
the global nature of cybersecurity, additional responses outside the Greater Chicagoland area are
not viewed as problematic and did not negatively impact the results.
Participants were sourced from several CISO groups, social media, and targeted lists
within the survey platform, including membership from several industries and companies
ranging in size. Using G*Power, the number of participants required from each group, CISO and
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
49
Senior Leadership, is 90 for a total of 180 responses (Faul et al., 2009). The survey size was
calculated using a two tailed WMW test and is based on the sample size calculation using a
statistical power threshold of 90%, an effect size of 0.5, and an α of 0.05. The G*Power output is
in Appendix B. The 180 needed responses did not differ significantly from the 172 responses
needed assuming the responses would be normally distributed. A test for normal distribution was
conducted before data analysis.
Role of the Researcher
The role of the researcher was to solicit responses to the survey, address questions or
concerns regarding the survey, and analyze the data once the survey closes. The wide net for the
solicitation of the survey limited the biases of the surveys collected. Some of the participants
may be familiar with the prior work of the researcher; however, due to the broad and national
reach of the groups selected, the impact of backyard research is limited (Creswell & Creswell,
2018). The researcher of the study was not directly involved with the participants because of the
design of the study.
Geographical or Virtual Location
Cybersecurity is a global issue; therefore, the participants were not limited to a singular
geography. However, the groups used to disseminate the survey have a primary audience of the
United States (US). Participants were qualified through a survey question as the senior most
person in their organization responsible for cybersecurity, senior most executives, and board
members. Due to the internet based survey, respondents needed access to the survey, which was
not an issue because the dissemination method was electronic, primarily through email.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
50
Procedure
The data for the research effort was collected via survey using SurveyMonkey.
Participants were recruited using various CISO and information technology groups, with
membership lists in the tens of thousands that the researcher is affiliated with and social media
messages. The groups that were leveraged have a national reach across the United States.
However, one of the groups where the researcher has a significant personal reach and reputation
is local to the Chicago area due to the researcher’s prominence in the Chicago market as a
practitioner in the cybersecurity and information technology space.
Permission and consent were obtained through consistent communication efforts. Direct
communications and invitations provided: (a) the purpose of the study; (b) the study’s
procedures and duration; (c) any potential and foreseeable risks; (d) any potential discomforts
and benefits of participating or the research; (e) whether any steps/activities incurred during
participating are experimental; and (e) how confidentiality and privacy will be maintained. The
same information was presented to the participant and a digital consent marker upon entering the
survey. Failure to grant consent prevented the participant from moving forward with the research
effort. Data was obtained with an online survey and managed by the primary researcher within
SurveyMonkey. After which, the data will be housed within the California Southern University
Office 365 environment in comma separated values tables.
Instrumentation
The survey instrument for the study is available in Appendix C. The demographic
questions were adapted from De Smidt and Botzen (2018). The answer options were adjusted for
the study to reflect the role of the participant in their organization. De Smidt and Botzen (2018)
used six options for their original question 13, and the study reduced the options to two in
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
51
question D1 to reflect the groups being studied and serve as a qualifier question. The
Board/Senior management option was retained from the original De Smidt and Botzen (2018)
option. For question D3, a more comprehensive list of answers regarding the participants’
industry is used for better granularity, and question D4 was updated with current cultural options
for gender. Question D5 was added to understand the location of the pool of responses. The
questions for Affect, Exposure, Susceptibility, and Severity are five point Likert based questions
and answer (Boone & Boone, 2012) survey questions used with permission from Walpole and
Wilson (2021). The permission evidence is available in Appendix E. Several studies in the past
have attempted to measure risk perception (de Smidt & Botzen, 2018; Geil et al., 2018; Walpole
& Wilson, 2020; Williams et al., 2014; Wilson et al., 2018). However, the instrument developed
by Walpole and Wilson (2021) is valid and reliable and is designed to measure risk perception
across any risk hazard.
Walpole and Wilson (2021) developed an instrument with 13 questions across four topic
areas, Affect, Exposure, Susceptibility, and Severity, to measure risk perception. Each of the
answers to the questions was assigned a Likert value of one through five. The assigned values
are reflected in the survey instrument in Appendix C. SPSS was utilized to generate a composite
or summarized score for the risk perception for each vignette.
The instrument developed by Walpole and Wilson (2021) underwent confirmatory factor
analysis (CFA) to test validity (Atkinson et al., 2011; Miiro, 2020) for each question to
determine which question fit best in each of the four categories of Affect, Exposure,
Susceptibility, and Severity. For each category, Cronbach’s alpha was calculated with a result
greater than 0.85. Cronbach’s alpha for the entire instrument was calculated at 0.856. This
specific instrument has not been used extensively in prior research and is the result of continuous
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
52
adjustments by Walpole and Wilson and builds upon the work of Walpole and Wilson (2020)
and Ferrer et al. (2016).
Data Collection
Data was collected using SurveyMonkey following consent and generation of a Unique
Participant ID (UPID). Consent was gained through a website separate from the data collection
source. The consent site generated the UPID and stored the email collected from the participant
along with the UPID in a separate table from the survey results ensuring that a participant can
opt-out of the process and ensuring that a single participant can be identified through the
response data. Participants entered data about their demographics and then answered the entire
battery of risk perception questions for each vignette with the tactical cybersecurity risk metrics
presented, followed by the aggregated cybersecurity risk metrics.
Data collection took approximately one month due to a large number of respondents
necessary based on the calculation found previously. However, the data collection process could
have taken longer due to the busy nature of the potential targeted participants, CISOs, C-suite
executives, and board members. Alternatively, targeted and broad outreach to the proper groups
of potential respondents allowed for a larger number of responses to be quickly obtained. The
response rate depended on receiving an adequate number of responses from CISOs, senior
executives, and board members. A mix of respondents is necessary to address the research
questions. The questionnaire consisted of five demographic questions and 13 questions regarding
risk perception for each vignette, as shown in Appendix C, for 31 questions. The questions were
assigned values on a five point scale. To identify relationships between the vignettes and
organizational level, further analysis used a two-tailed t-test if normality was established using
KS and SW tests. The WSR test was used if normality was not found.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
53
Data Analysis
This section provides the direction and details regarding how the data collected from the
online SurveyMonkey survey was analyzed. All qualified results were reviewed to address the
research questions and infer a statement about the population. Data analysis was limited only to
fully completed surveys, surveys that take longer than one minute to complete, and surveys
results from which the participant has not withdrawn. Data from completed surveys was
analyzed using SPSS.
Descriptive Statistics
Each vignette in the research effort contained 13 questions that utilize five point scale
Likert type answer options allowing for the DV to be a continuous variable. Constructing the
questions in a Likert type manner, combined with the number of questions, allows for the
analysis utilizing descriptive statistics from interval measurement scales by calculating a
composite score (Boone & Boone, 2012). A Likert scale was generated from the 13 Likert type
questions for each vignette to create a single composite score through the SPSS summary
function (Boone & Boone, 2012). Using a Likert scale composite score permitted the use of
interval data which allows for the analysis of the differences of the mean composite score
through a two tailed t-test (Boone & Boone, 2012). It was unknown if the sample would be
normally distributed. Until the results were gathered, the results were assumed not to be normally
distributed, and a minimum sample size of 180 was collected, with 90 respondents from each
group. One group is the CISO or senior most person responsible for cybersecurity, and the other
is Board members and senior management. A sample size of 180 does not differ significantly
from a sample size of 172 when assuming normality. Additional information collected from the
respondents includes organization size, business sector, gender, and geographic location.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
54
Hypothesis Tests
The hypothesis tests to address the research questions are described below. To determine
the appropriate statistical test, a test for normality was conducted using KS and SW tests. If
normality was found using both KS and SW tests, a two-tailed t-test was used; otherwise, the
WSR test was used.
First Hypothesis Test
Hypothesis testing utilized SPSS. The following is a brief outline of the hypothesis test
requiring p < .05 for rejection of the null hypotheses:
H01: There is no difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with board members and executives.
Ha1: There is a difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with board members and executives.
The results were tested using the SPSS summarized results from the answers from the 13
risk perception questions for each vignette. The p-value determined whether to reject the null
hypothesis stating there is a difference in the amount of perceived cybersecurity risk by board
members and executive leaders when presenting cybersecurity risks using technical
cybersecurity risk metrics and aggregated cybersecurity metrics.
Second Hypothesis Test
Hypothesis testing utilized SPSS. The following is a brief outline of the hypothesis test
requiring p < .05 for rejection of the null hypotheses:
H02: There is no difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with cybersecurity practitioners.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
55
Ha2: There is a difference in the amount of perceived risk between the use of different
presentation formats for cybersecurity risk metrics with cybersecurity practitioners.
The results were tested using the SPSS summarized results from the answers from the 13
risk perception questions for each vignette. The p-value determined whether to reject the null
hypothesis stating there is a difference in the amount of perceived cybersecurity risk by board
members and executive leaders when cybersecurity risks are presented using technical
cybersecurity risk metrics and aggregated cybersecurity metrics.
Informed Consent Process and Ethical Concerns
The primary concern regarding ethics is the requirements of maintaining participant
confidentiality and holding to legal requirements of research efforts (McGinn & Bosacki, 2004).
The researcher did not proceed without prior approval from the Institutional Review board per
California Southern University policy.
Informed Consent
All participants received an informed consent form, incorporating the essential elements
of informed consent per Bowen (2005), before beginning the survey and were not permitted to
move forward without acknowledging the online informed consent form. A copy of the informed
consent form is available in Appendix D and served as a cover letter and signature page for
consent (Bowen, 2005). A web based consent form was used whereby the participant entered
their email address and subsequently received via email and on screen, a UPID, removing the
need for a separate consent form before the survey. All participants obtained a proper e-mail
address allowing them to ask questions during the survey process and to view the results of the
inquiry. The survey data shall remain anonymous, contain no identifying marks related to the
participant, and protect identifiers related to institutions, participants, or collaborative efforts.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
56
Through the use of SurveyMonkey’s anonymous response option, each response maintains
anonymity. No contact information, name, e-mail address, or other identification marks shall
remain in a publicly accessible format. Likewise, no identifying phrases shall remain in the data
to ensure privacy during the feedback process.
Ethical Concerns
The strategy to deidentify the data is to use one system to generate UPID available at
https://upidgenerator.weebly.com/. Due to the automated nature, the researcher did not need nor
have contact with the participants. The site contains the consent form that participants
acknowledged by entering their email address. After submitting their email and entering the
CAPTCHA, the participant received an on-screen prompt with their UPID. Participants were also
emailed the same information. Participants entered their UPID into SurveyMonkey to proceed.
Since the UPID generator and SurveyMonkey are separate systems, there is a minimal chance of
identifying participants. The primary researcher will have access to both systems to remove
participants as requested and ensure only consented participants complete the survey. The
researcher requires multi-factor access to the system housing the emails and UPIDs stored in a
HIPAA compliant database.
After collecting data, the database housing the UPIDs and email addresses will be
downloaded and stored in a password-protected file in the California Southern University Office
365 environment for five years. The survey results will be stored similarly after retrieving the
results from SurveyMonkey. Should participants request their results removed from the study,
they would notify the researcher to remove the results associated with the participant’s UPID
using the unenrollment form at https://upidgenerator.weebly.com/unenroll.html.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
57
Trustworthiness of the Study
In developing the survey instrument, Walpole and Wilson (2021) conducted CFA to
verify the validity of the instrument. Furthermore, Walpole and Wilson (2021) calculated an
acceptable Cronbach’s α = 0.856 (Cortina, 1993). With permission, the survey instrument
contains the valid and reliable question set as developed by Walpole and Wilson (2021), where X
in the question set was replaced with “a cybersecurity event,” or a grammatical equivalent, to
represent the risk event. With the validity and reliability of the question set in place, the results
should be repeatable.
Summary
The quantitative research effort was undertaken to determine a statistically significant
relationship between using tactical and aggregated metrics when communicating cybersecurity
risks. Additionally, the research effort intended to show whether there is a difference in risk
perception between cybersecurity leaders and non-cybersecurity organizational leaders. The
methodology for the research effort has been discussed, along with the research design and
analytical strategies. Participants were sourced from across the United States but were not
necessarily limited to that geography as cybersecurity is a global issue (Bassett et al., 2020). All
participants acknowledged a consent form to participate and will have the ability to request to be
removed from the study. The instrument had been tested for validity and reliability, and
permission has been received to use the survey instrument. In Chapter 4, the research effort
results are presented with an analysis of the data.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
58
Chapter 4: Results
The purpose of this quantitative study was to statistically assess if the use of aggregated
cybersecurity risk metrics impacts the overall perception of risk at the board member and
executive level. The research effort sought to statistically evaluate how risk perception differs
when aggregated cybersecurity risk metrics are used between cybersecurity practitioners and
non-cybersecurity leaders of the board and executive teams. Data collected in this research effort
was collected using SurveyMonkey and Kwik Survey. Data was analyzed using SPSS using
paired two-tailed t-tests and WSR tests.
General Description of Participants
The demographics of the participants included the role in their organization, gender, size
of their organization, geography as related to the Chicagoland area, and industry. A total of 280
responses were received to the survey through organic outreach and the use of Kwik Surveys.
The responses were reviewed for completion and speed of response. After filtering out responses
that were not fully completed or completed in under one minute, there were 201 remaining
responses used in the full analysis. All participants are from one of the two self-identified
groups. Of the 201 responses, 53.7% (n = 108) are CISOs or the senior most person responsible
for cybersecurity and 46.3% (n = 93) are Board members or senior management (see Table A1).
The sample size received for each group met the minimum calculated requirement of 90
participants for each group.
Participants were asked about their gender. Of the respondents that indicated their gender
(n = 199), most of the respondents, 68.84% were male (n = 137). The remaining 31.16%
indicated female (n = 62) (see Table A). This result is not surprising with the representation of
males to females in the cybersecurity space (Beveridge, 2021) or at the board level (Bhrama et
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
59
al., 2020). These results indicate a sampling similar to the population; however, according to
Beveridge (2021), the ratio of females to males is actually lower.
Table A3 presents the distribution of the participants across sectors. The top three sectors
represented were healthcare at 15.42% (n = 31), information at 12.94% (n = 26), and finance at
12.44% (n = 25). These three sectors account for 40.8% (n = 82) of the responses. There were
zero responses from mining, trade, and utilities. The remaining sectors had at least one response
(see Figure B3), resulting in widespread responses among the seventeen selected sectors
providing a non-niche sampling.
The original target demographic was participants from the Chicagoland area or
individuals formerly from the Chicagoland area. However, due to challenges soliciting enough
responses in a reasonable time period, the research effort was opened to the entire United States.
Table A4 shows that 53.23% (n = 107) were from a metropolitan area other than Chicagoland.
While 1.49% (n = 3) chose not to provide their geography, 45.27% (n = 91) are or are formerly
from the Chicagoland area.
Unit of Analysis and Measurement
The unit of analysis is survey participants. Specifically, the survey participants are from
two groups. The first group is CISOs or the most senior person responsible for cybersecurity.
The second group is board members and senior executives. Due to the global nature of
cybersecurity, geographic limitations of the responses were not necessary; however, the research
effort was limited to the US. With cybersecurity affecting every industry and every sized
organization, industry and organization size were not qualifying factors (Ponemon, 2020).
The unit of measurement is risk perception, as measured using the instrument developed
by Walpole and Wilson (2021). The participants were presented with a scenario regarding the
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
60
risk event, as did Walpole and Wilson (2021). In this research effort, cybersecurity metrics were
presented using tactical metrics. Participants were then asked the 13 questions presented in the
instrument to measure their risk perception. A second risk event was presented, cybersecurity
presented with aggregated risk metrics. Participants were again asked the 13 questions from the
instrument to measure their risk perception.
Sample Size
Participants were sourced through social media, LinkedIn posts, group posts, direct
messages, Twitter, and Facebook groups. Additional requests for participation leveraged a CISO
email group and various trade association groups. The initial focus was on groups that targeted
Chicagoland individuals but was expanded to national groups. The initial calculation for the
sample size was 180 total participants with 90 from each group. The survey size was calculated
using a two tailed WMW test and is based on the sample size calculation using a statistical
power threshold of 90%, an effect size of 0.5, and an α of 0.05 (see Figures B1 and B2). Having
received 201 valid responses, 53.7% (n = 108) from the CISOs or the senior most person
responsible for cybersecurity group and 46.3% (n = 93) from the Board members or senior
management group (see Table A1), the minimum number of responses was met.
Pilot Testing
Pilot testing was not conducted as the survey instrument (see Appendix C), used with
permission (see Appendix E), developed by Walpole and Wilson (2021), conducted CFA to
verify the validity of the instrument. Furthermore, Walpole and Wilson (2021) calculated
Cronbach’s α = 0.856 for the entire instrument, which is acceptable (Cortina, 1993). The survey
instrument contains the valid and reliable question set as developed by Walpole and Wilson
(2021), where X in the question set was replaced with “a cybersecurity event,” or a grammatical
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
61
equivalent, to represent the risk event. No pilot testing was warranted with the validity and
reliability of the question set established.
Data Collection
Data collection commenced after obtaining IRB approvals (see Appendix F). Data was
collected using SurveyMonkey. Participants were sourced from several sources. These included
a Chicagoland CISO email group, several LinkedIn and Facebook groups including Chicagoland
specific groups, Twitter, and trade association forums. Additionally, the primary researcher
directly reached out to individual participants using LinkedIn’s messaging platform. Following
two weeks of data collection with a limited number of responses, the geography was opened to
the entire US from the concentrated area of Chicagoland. After another week of limited
responses, the primary researcher engaged with Kwik Surveys to purchase responses to the
survey.
Participants who used the SurveyMonkey platform were directed to the UPID generator
and consent form at https://upidgenerator.weebly.com before participating in the SurveyMonkey
platform. Participants from the Kwik Survey platform were presented with two qualifying
questions. The first confirmed they were a board member or senior executive (e.g., CXO) other
than the CISO or equivalent or that they are the senior most person responsible for cybersecurity
(i.e., CISO) depending on the targeted audience. The second question was to agree to the consent
form presented in Appendix D.
Results of Hypothesis Tests
Hypothesis tests were conducted to address the research questions. A test for normality
was conducted to determine the appropriate statistical test, using KS and SW tests in SPSS.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
62
Where normality was found using both KS and SW tests, a two-tailed t-test was used in SPSS;
otherwise, the WSR test was used in SPSS.
First Hypothesis Test
The first hypothesis test sought to find if a difference exists in the amount of perceived
risk between the use of different presentation formats for cybersecurity risk metrics with board
members and executives. The data set was tested for normality by performing KS and SW tests.
The KS and SW test results indicate that the data is not normally distributed (pks = .004, psw =
.042). With a nonnormally distributed data set, a WSR test was performed on the results from the
board members and senior executive participants. Using SPSS, the mean scores from the tactical
metrics presentation were compared to the mean scores from the aggregate metrics presentation.
When viewing tactical and aggregate scores, the risk perception was strongly correlated (ρ =
0.866, p < .001). The median scores for risk perception for tactical metrics and aggregated
metrics (mtactical = 3.2308, maggregated = 3.3077) indicate greater perceived risk when viewing
aggregated risk metrics. However, no statistically significant relationship was found between the
use of tactical or aggregated metrics amongst board members and senior executives (z = -0.205,
p = .837), indicating that while the risk perception in both cases was correlated, any differences
were due to chance. Thus, the null hypothesis was not rejected.
Second Hypothesis Test
The second hypothesis test sought to find if there exists a difference in the amount of
perceived risk between the use of different presentation formats for cybersecurity risk metrics
with cybersecurity practitioners. The data set was tested for normality by performing KS and SW
tests. The KS and SW test results indicate that the data is normally distributed (pks > .200, psw =
.571. With a normally distributed data set, a paired samples t-test was performed on the results
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
63
from the CISO participants. Using SPSS, the mean scores from the tactical metrics presentation
were compared to the mean scores from the aggregate metrics presentation. When viewing
tactical and aggregate scores, the risk perception was strongly and positively correlated (r =
0.869, p < .001). On average, the risk perception when viewing the aggregate metrics was greater
than the risk perceived when viewing tactical metrics (M = 0.00427, 95% CI [-0.08757,
0.07902]. While different, it is a trivial amount of increased perceived risk as no statistically
significant relationship was found between the use of tactical or aggregated metrics amongst
CISOs or the senior most person responsible for cybersecurity (t(107) = -0.102, p = .919),
indicating that while the risk perception in both cases was correlated, any differences were due to
chance. Thus, the null hypothesis was not rejected.
Interpretation of the Hypothesis Tests
The positive correlation between risk perception and the presentation format was not
surprising. The literature explained that the affective response to cybersecurity, in general, is
negative (Fordyce et al., 2018; Nam, 2019; Renaud et al., 2021). Thus, based on the presentation
formats, the cybersecurity risk perception would have a similar path regardless of how it is
presented. These similar paths are shown with the high correlations between the two presentation
formats in both hypothesis tests (ρ = 0.866, p < .001 & r = 0.869, p < .001). The interesting result
of the study is that the magnitude of the risk perception did not differ despite the change in
presentation format. An adjustment to the confidence level could be considered; however, with
the p-values approaching one in both cases, the results highly indicate that any differences were
due to chance (p = .837, p = .919).
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
64
Summary
To address two research questions regarding cybersecurity risk presentation formats with
two different groups, 280 participants were sourced to answer the questions in the survey
instrument, see Appendix D. A statistically significant number of valid surveys were received
based on the WMW calculation using G*Power (n = 201). The participants were originally
sourced from the Chicagoland area. However, the geography was opened to the entire US due to
slow response rates. A large representation across sectors was received, with three sectors
accounting for 40.8% (n = 82) of the responses. These sectors are healthcare at 15.42% (n = 31),
information at 12.94% (n = 26), and finance at 12.44% (n = 25). The tests for normal distribution
and hypothesis tests were conducted using SPSS. The CISO data set was found to be normally
distributed; however, the board member and senior executives were found not to be normally
distributed. The CISO data set was evaluated using a paired two-tail t-test, and the null
hypothesis was not rejected. The board member and senior executive data set was evaluated
using the WSR test, and the null hypothesis was not rejected. The study results indicate that a
relationship between cybersecurity risk perception and cybersecurity risk presentation does not
exist beyond that of chance. In both cases, the survey results showed that risk perception in the
two presentation formats was positively correlated; however, the differences in risk perception
were not statistically significant. Further discussion and recommendations from the findings can
be found in Chapter 5.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
65
Chapter 5: Concluding the Study
This chapter discusses the findings of the study based on the data received from the
surveys collected. A reflection upon the findings was conducted, including prior held beliefs
about the study topic. The ethical dimensions and sampling are methods are reviewed.
Limitations encountered during the study are discussed and addressed compared with those
anticipated. Lastly, suggestions for future research are presented.
Summary of the Study
Improving cybersecurity risk communications through a prescriptive and actionable
approach was the goal of the study. By having an actionable take-away, stakeholders would have
a specific direction to take back to their organizations. A sufficient amount of data was collected
from a minimum number of participants; 180 responses were needed with at least 90 responses
from each group, which proved challenging in a reasonable time frame. However, this was
overcome by using targeted surveys, resulting in 201 valid responses.
The means of the Likert scale data from the valid and reliable instrument for risk
perception from Walpole and Wilson (2021) were tested for normal distribution. The results
from the CISO group were found to be normally distributed; however, the senior executive and
board member group was determined not to be normally distributed. The hypothesis was tested
using a two-tailed paired t-test for the CISO group and a WSR test for the board member and
senior executive group. In both tests, the null hypothesis was not rejected and the conclusion
reached is that there is no statistical difference in cybersecurity risk perception when using
tactical or aggregated risk metrics.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
66
Ethical Dimensions
Data collection commenced after obtaining IRB approvals (see Appendix F). The IRB
review committee requested assurances and was provided the requested assurance that data had
not been collected prior to approval. All participants received a copy of the consent form
containing contact information for the researcher and IRB chair before beginning the survey (see
Appendix D). Participants that took the survey via SurveyMonkey received the consent form
from the UPID generation website, and participants that took the survey via Kwik Surveys
consented to participation as a qualification question prior to beginning the survey.
SurveyMonkey and Kwik Surveys were configured to maintain the anonymity of the
participants.
The research effort was a quantitative study which limited the researcher's bias.
Computing the results based on the user's feedback was a straightforward process with limited
influence by the researcher. The data was evaluated as it was received from the participants.
There was no involvement with the participants while they took the survey; therefore, there was
no influence by the researcher on the responses.
Overview of the Population and Sampling Method
The research effort surveyed board members, executive leadership, and the senior most
cybersecurity leaders from multiple organizations. Targeted cybersecurity leaders would have
job titles ranging from Manager to CISO. Participants were primarily sourced from the Greater
Chicagoland area but later expanded to the entire US from several CISO groups, social media,
LinkedIn posts, group posts, direct messages, Twitter, Facebook groups, and trade association
groups. A total of 201 valid responses were received using the SurveyMonkey platform and
targeted responses using Kwik Surveys.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
67
Limitations
Theofanidis and Fountouki (2018) state that the limitations of a study are “potential
weaknesses” (p. 156) that the researcher cannot control and should address. A limitation
experienced was the rate of collecting responses from the initially specified geography. The
challenges of collecting responses may be attributed to the timing, started collecting responses
the week of the Christmas holiday or the topic. Cybersecurity can be a sensitive topic. Also, the
pool of senior executives, board members, and CISOs is small compared to a broader population.
While the minimum number of responses could have been collected over time, a decision was
made to expand the geography and broaden the pool of potential participants to collect the
responses more quickly. Given that Cybersecurity is a global issue, the responses outside the
Greater Chicagoland area are not viewed as problematic and did not negatively impact the results
(Ponemon, 2020).
The other limitation that arose was the number of incomplete surveys. There were 280
qualified survey respondents who responded to the survey; however, only 201 answered every
question in the instrument. With a 71.79% total completion rate, an increase in the number of
responses was needed, along with the time and costs to collect responses. For example, 98
responses were collected via the SurveyMonkey platform, but only 71 reached the end of the
survey, and only 66 of those were fully completed. This limitation was not expected but was
overcome by using targeted respondents from Kwik Surveys. Kwik Surveys provided a platform
to reach a targeted demographic for a reasonable fee. Two groups were selected with a
geographic limitation to the United States. Group one targeted Executives and Board members,
and group two targeted senior executives with cybersecurity responsibility. Two screening
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
68
questions were used. The first was their role in ascertaining their group, and the second screen
question was to consent to the consent form, see Appendix D.
Results
The study attempted to provide practical guidance towards addressing the problem of the
need to improve cybersecurity risk communications. Several scholarly sources have stressed that
better communication with the board is needed (Al-Moshaigeh et al., 2019; Anders, 2019;
Gallagher et al., 2019; Islam et al., 2018; Rothrock et al., 2018, Weill et al., 2019); however, the
articles fall short of prescriptive direction on executing and delivering compelling
communications, and the problem continues. The need to speak the language of business was
called upon in the literature (Blum, 2020; Karanja & Rosso, 2017; Rowe, 1998; Wright, 2021).
The specifics of the language of business could not be agreed upon other than it is not singularly
defined. The best approach to the language of business is simply terms that matter to the
business. For example, if money is most important, then finance or accounting is the language of
business. However, if patient safety is most important, then patient safety is the language of the
business (Wright, 2021). The lack of specificity of business language led to using the model
proposed by Marchewka (2018; as cited in Fitzgerald, 2018) as a presentation format using six
categories for aggregating the scores. These six areas addressed the three main areas of
cybersecurity, confidentiality, integrity, and availability (Harris & Maymi, 2021), and three
business categories, people, reputation, and finance. Each of the six categories are further
defined in the survey instrument, see Appendix C. The presentation format suggested by
Marchewka (2018; as cited in Fitzgerald, 2018) brings together the critical aspects of the
business and cybersecurity without being singularly focused on one topic, for example, finance.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
69
Instead, the model presents a holistic and non-technical approach within the six identified areas
to come closer to a comprehensive language of business.
By using aggregated risk metrics as the presentation format, it was proposed that there
would be a difference in perceived risk. By changing the presentation method, the goal was to
reduce the information asymmetry gap through a presentation that was not overly technical,
thereby improving understanding. In doing so, a reduction in affective response would be
realized, and less affective decision making could occur. The research questions were addressed
through hypothesis testing to explore the relationship between risk perception and presentation
format.
Research Question 1
Research Question 1: What is the relationship between cybersecurity risk perception and
cybersecurity risk metrics presentation format with board members and executive level
leadership? A positively correlation (ρ = 0.866, p < .001) exists between cybersecurity risk
presentation formats. However, there does not exist a statistically significant difference in risk
perception between the presentation format (z = -0.205, p = .837).
No change in risk perception with the executive group is interesting given the demand, in
the literature, for communication in business terms. The lack of actual communication and
discussion beyond the instructions in the survey instrument, see Appendix D, may be a reason
for the lack of change in risk perception with either presentation format. An explanation from a
subject matter expert and relation directly to the business may still be needed beyond the
presentation format. The results do indicate that either presentation format maintains the same
risk perception level; therefore, either format could be used in a presentation. In a presentation, it
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
70
may behoove a presenter to use the aggregated model given the demand for communications in
business terms.
Research Question 2
Research Question 2: What is the relationship between cybersecurity risk perception and
cybersecurity risk metrics presentation format with cybersecurity practitioners (i.e., CISOs)?
Like the executive group, the relationship between cybersecurity risk perception and presentation
format with cybersecurity practitioners was positively correlated (r = 0.869, p < .001). However,
a statistically significant relationship was not found using the different presentation formats and
cybersecurity risk perception (t(107) = -0.102, p = .919).
The results for the cybersecurity practitioners are not surprising since they are in the field
and should fully understand the risks and implications for the tactical metrics. The aggregated
metrics were developed from the tactical metrics with the intent that the meaning behind the
aggregated metrics should be sharing a similar profile in more business focused terms. A CISO
should be able to convey and understand their field in business terms and language (Maynard et
al., 2018; Shayo & Lin, 2019). Therefore, it would follow that the CISOs perception of risk in
both cases would be the same, which supports the findings of the study. These results indicate
that the aggregated model presented by Marchewka (2018; as cited in Fitzgerald, 2018) conveys
the same message as the tactical message and that the aggregated metrics could be a springboard
into a discussion without overwhelming executives with technical jargon.
Reflection
For years I have advocated using aggregated risk metrics when telling the cybersecurity
story to executives and board members. This point of view was primarily driven by information
gathered from other professionals and colleagues in the field. The advocacy for aggregated
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
71
metrics was also driven by peers stating that their boards had asked for single scores to reflect
the performance of the cybersecurity program. The initial impetus for this approach was to
answer the question, “who cares about cybersecurity?” Finding a method to answer that question
was vital to capture the attention of a highly financially driven leadership team was the
challenge. Using aggregated metrics was arrived upon through recommendations from various
trade publications and trade conferences.
Two people reached out directly to me via email during the data collection phase,
indicating that the presentation format makes a difference. One person stated, “My guess is that
most non-CISOs will be lost in the details of the examples and have a difficult time only
responding as if the data presented were at their organizations.” The other comment was similar,
“Yes, the top section of did not provide any useful management information. I think that is the
point. The second section of course drives home the point of who and what is at risk. So, cool.”
When I received these comments, I suspected that the results would come out as hypothesized. I
want to note that these participants' comments and results have remained entirely separate, and
they volunteered this information without prompting.
Going into this study, I hoped that aggregated risk metrics would impact risk perception
as it would have substantiated what had been observed in practice and the comments by the two
participants mentioned above. However, with the actual results of the study in hand, risk
perception is not changed based solely on the presentation tool of the risk metrics. However, risk
perception remains the same with both tools meaning both could deliver the same message
depending on how the audience prefers to hear that message. Analyzing the results of the study
led me to believe that the success of conveying cybersecurity risk metrics depends more on the
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
72
delivery of the message than on the mechanism of delivery. The attribution of the delivery
mechanism to the risk perception would be categorized as a causal fallacy (Vleet, 2012).
Connecting the delivery mechanism to risk perception in an if-then or cause and effect
relationship is not the whole story because some companies have organizationally supported
cybersecurity programs, and others continue to struggle. Enough credit to the people involved in
making cybersecurity decisions was not considered carefully. Several people are involved in
cybersecurity decisions, and each plays a role. There are people involved in delivering the
cybersecurity message; there are the people receiving the information and their capabilities of
receiving the information to process the risks regardless of how the risks are presented. The fact
that the risk perception in both groups across both scenarios nearly remained the same would
indicate their risk processing of the information is the same. That said, an individual may hold
the same bias towards cybersecurity risk regardless of presentation format.
Recommendations
The primary recommendation from the study is to use the presentation format preferred
by the audience that is receiving the information and focusing on the message. Better
communication with the board is needed (Al-Moshaigeh et al., 2019; Anders, 2019; Gallagher et
al., 2019; Islam et al., 2018; Rothrock et al., 2018, Weill et al., 2019). Continued messaging in
terms that the board recognizes and understands is imperative. The use of tactical or aggregate
metrics does not matter, as shown through the study. Instead, the messaging behind the metrics
may have a more significant influence on board and executive understanding.
Improving executive understanding of cybersecurity risks continues to remain a need.
Part of improving the understanding of risks is to close the information asymmetry gap and
reduce the affective response (Garcia Perez et al., 2018; Wu et al., 2019). The message,
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
73
reasoning, or business circumstances behind the metrics, rather than the presentation format,
could help drive the cybersecurity risk message. Reducing the information asymmetry gap and
improving the understanding of the information could reduce the affective response to the
information. People have two challenges to overcome when it comes to cybersecurity: lack of
understanding and an immediate move to negative thoughts at the mention of cybersecurity.
Improving trust may be one method to achieve the goals of reducing information
asymmetry and reducing affective response. To establish trust, Kohlhoffer-Mizser (2019) defines
trust with the combination of credibility, reliability, intimacy, and self-orientation, as seen in (1).
By interacting more, increasing intimacy, and developing a stronger relationship with board
members and executives, cybersecurity practitioners may close the gap and steer decision makers
towards decisions to reduce cybersecurity risk. Reducing the focus from themselves and focusing
on the needs of the business and the audience may also be an approach. Reliability can be
increased through the regular use of a metric set. This study shows that the style of metrics used
does not matter, but perhaps the consistency of use may have a more significant impact.
Focusing on the message in terms the audience desires is a recommendation to convey
cybersecurity risks. This recommendation is based on the recommendation from the literature to
speak in terms the business understands (Al-Moshaigeh et al., 2019; Anders, 2019; Gallagher et
al., 2019; Islam et al., 2018; Rothrock et al., 2018, Weill et al., 2019). The broader
recommendation is to have specific conversations to discover the exact messages that resonate
with the specific audience. Having conversations with stakeholders and continually building trust
is imperative to building trust, reducing the information asymmetry gap, and improving decision
making. These conversations may need to be at a one-on-one level versus a full executive or
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
74
board meeting. By keeping the conversations smaller, more focused questions may be possible
along with teaching and explaining.
Suggestions for Future Research
Further research into the communication of cybersecurity risk needs to continue. While
the study found that the tool does not change risk perception, future research should look at a
qualitative review of what works to drive cybersecurity risk perception and cybersecurity
understanding. An evaluation of presentation formats of successful and unsuccessful
presentations could be conducted with interviews of the presentees to find practical approaches
for communicating cybersecurity risk. The suggestion of speaking in business terms is not
sufficient without specific examples (Aiello & Schneidermeyer, 2016; Karanja & Rosso, 2017;
Lanz, 2017). Cybersecurity is a global problem affecting all organizations of all sizes, and
reducing the risk of a cybersecurity event is paramount. Further research should provide
practitioners with actionable steps to address this global issue.
Concluding the Study
This quantitative study answered questions about the relationship between cybersecurity
risk perception and the presentation of cybersecurity risk metrics. The expectation was that using
aggregated risk metrics would elicit a difference in risk perception based on the findings in the
literature. The findings of the study demonstrated that the use of presentation format did not
impact risk perception. Based on the results of the study and the literature, further work is needed
on communication tools, techniques, and patterns to close the information asymmetry gap and
reduce the affective response having a more significant influence on risk perception and
understanding. Chapter 5 serves as the end of this study. It is hoped that continued work may be
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
75
done to provide practitioners with prescriptive approaches to conveying cybersecurity risks to
board members and senior executives.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
76
References
Aiello, M., & Schneidermeyer, P. (2016). Four mistakes to avoid when hiring your next
information security chief. China Business Review, 1.
Al-Moshaigeh, A., Dickins, D., & Higgs, J. L. (2019). Cybersecurity risks and controls. CPA
Journal, 89(6), 36–41.
Amin, Z. (2019). A practical road map for assessing cyber risk. Journal of Risk Research, 22(1),
32–43. https://doi-org.proxy1.calsouthern.edu/10.1080/13669877.2017.1351467
Anders, S. B. (2019). Cybersecurity tools for CPAs. CPA Journal, 89(6), 72–73.
Atkinson, T. M., Rosenfeld, B. D., Sit, L., Mendoza, T. R., Fruscione, M., Lavene, D., Shaw, M.,
Li, Y., Hay, J., Cleeland, C. S., Scher, H. I., Breitbart, W. S., & Basch, E. (2011). Using
confirmatory factor analysis to evaluate construct validity of the brief pain inventory
(BPI). Journal of Pain and Symptom Management, 41(3), 558-565.
https://doi.org/10.1016/j.jpainsymman.2010.05.008
B, S., & Carr, M. (2018). Cyber metrics: Getting the conversation straight between technical and
non-technical actors. Research Institute in Science of Cyber Security.
https://discovery.ucl.ac.uk/id/eprint/10063231/1/RISCS%20Research%20Brief_Metrics
%20Workshop%20May%202018.pdf
Bassett, G., Hylender, C. D., Langlois, P., Pinto, A., & Widup, S. (2020). Verizon data breach
investigations report. https://enterprise.verizon.com/resources/reports/2020-data-breach-
investigations-report.pdf
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
77
Batteux, E., Ferguson, E., & Tunney, R. J. (2019). Do our risk preferences change when we
make decisions for others? A meta-analysis of self-other differences in decisions
involving risk. PLOS ONE, 14(5), e0216566.
https://doi.org/10.1371/journal.pone.0216566
Bergh, D. D., Ketchen, D. J., Orlandi, I., Heugens, P. P., & Boyd, B. K. (2019). Information
asymmetry in management research: Past accomplishments and future opportunities.
Journal of Management, 45(1), 122-158. https://doi.org/10.1177/0149206318798026
Beck, J. W., Schmidt, A. M., & Natali, M. W. (2019). Efficient proximal resource allocation
strategies predict distal team performance: Evidence from the National Hockey League.
Journal of Applied Psychology, 104(11), 1387–1403. https://doi-
org.proxy1.calsouthern.edu/10.1037/apl0000407.supp (Supplemental)
Beveridge, R. (2021). Addressing the gender gap in the cybersecurity workforce. International
Journal of Cyber Research and Education, 3(2), 54-61.
https://doi.org/10.4018/ijcre.2021070105
Bhatia, J., & Breaux, T. D. (2018). Empirical measurement of perceived privacy risk. ACM
Transactions on Computer-Human Interaction, 25(6), 1-47.
https://doi.org/10.1145/3267808
Blum, D. (2020). Manage risk in the language of business. In Rational cybersecurity for
business: The security leaders' guide to business alignment (pp. 123-156). Apress.
http://dx.doi.org/10.1007/978-1-4842-5952-8_5
Bodin, L. D., Gordon, L. A., & Loeb, M. P. (2005). Evaluating Information Security Investments
using the analytic hierarchy process. (2005). Communications of the ACM, 48(2), 79–83.
https://doi-org.proxy1.calsouthern.edu/10.1145/1042091.1042094
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
78
Bodin, L. D., Gordon, L. A., & Loeb, M. P. (2008). Information security and risk management.
Communications of the ACM, 51(4), 64–68. https://doi-
org.proxy1.calsouthern.edu/10.1145/1330311.1330325
Boone, H. N., & Boone, D. A. (2012). Analyzing Likert data. Journal of Extension, 50(2).
https://archives.joe.org/joe/2012april/pdf/JOE_v50_2tt2.pdf
Bowen, G. (2015). Preparing a qualitative research-based dissertation: Lessons learned. The
Qualitative Report. https://doi.org/10.46743/2160-3715/2005.1846
Brahma, S., Nwafor, C., & Boateng, A. (2020). Board gender diversity and firm performance:
The UK evidence. International Journal of Finance & Economics, 26(4), 5704-5719.
https://doi.org/10.1002/ijfe.2089
Brennan, N. M., Kirwan, C. E., & Redmond, J. (2016). Accountability processes in boardrooms.
Accounting, Auditing & Accountability Journal, 29(1), 135-164.
https://doi.org/10.1108/aaaj-10-2013-1505
Budimir, S., Fontaine, J. R. J., Huijts, N. M. A., Haans, A., Loukas, G., & Roesch, E. B. (2021).
Emotional reactions to cybersecurity breach situations: Scenario-based survey study.
Journal of Medical Internet Research, 23(5), e24879. http://doi.org/10.2196/24879
Buelow, M. T., Jungers, M. K., & Chadwick, K. R. (2019). Manipulating the decision making
process: Influencing a “gut” reaction. Journal of Clinical & Experimental
Neuropsychology, 41(10), 1097–1113. https://doi-
org.proxy1.calsouthern.edu/10.1080/13803395.2019.1662374
Carfora, M. F., Martinelli, F., Mercaldo, F., & Orlando, A. (2019). Cyber risk management: An
actuarial point of view. Journal of Operational Risk.
https://doi.org/10.21314/jop.2019.231
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
79
Center for Internet Security. (2015, October). A measurement companion to the cis critical
security controls. CIS Center for Internet Security. https://www.cisecurity.org/wp-
content/uploads/2017/03/A-Measurement-Companion-to-the-CIS-Critical-Security-
Controls-VER-6.0-10.15.2015.pdf?x60581
Cerin, B. (2020). Cyber Security Risk is a board-Level Issue [Paper presentation]. 2020 43rd
International Convention on Information, Communication and Electronic Technology
(MIPRO), Opatija, Coratia. https://doi.org/10.23919/mipro48935.2020.9245151
Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., & Robinson, W. (2008). Performance
measurement guide for information security (SP 800-55 Rev. 1). National Institute of
Standards and Technology (NIST). https://csrc.nist.gov/publications/detail/sp/800-55/rev-
1/final
Cortina, J. M. (1993). What is coefficient Alpha? An examination of theory and applications.
Journal of Applied Psychology, 78(1), 98-104. https://doi.org/10.1037/0021-9010.78.1.98
Couce-Vieira, A., Insua, D. R., & Kosgodagan, A. (2020). Assessing and forecasting
cybersecurity impacts. Decision Analysis, 17(4), 356-374.
https://doi.org/10.1287/deca.2020.0418
Cox, L. (2008). What's wrong with risk matrices? Risk Analysis, 28(2), 497–512.
https://doi.org/10.1111/j.1539-6924.2008.01030.x
Creswell, J. W., & Creswell, J. D. (2018). Research design: Qualitative, quantitative, and mixed
methods approaches (5th ed.). SAGE Publications.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
80
Deane, J. K., Goldberg, D. M., Rakes, T. R., & Rees, L. P. (2019). The effect of information
security certification announcements on the market value of the firm. Information
Technology and Management, 20(3), 107-121. https://doi.org/10.1007/s10799-018-
00297-3
De Paoli, S., Johnstone, J., Coull, N., Ferguson, I., Sinclair, G., Tomkins, P., Brown, M., &
Martin, R. (2020). A qualitative exploratory study of the knowledge, forensic, and legal
challenges from the perspective of police cybercrime specialists. Policing: A Journal of
Policy and Practice, 15(2), 1429-1445. https://doi.org/10.1093/police/paaa027
De Smidt, G., & Botzen, W. (2018). Perceptions of corporate cyber risks and insurance decision-
making. The Geneva Papers on Risk and Insurance - Issues and Practice, 43(2), 239-
274. https://doi.org/10.1057/s41288-018-0082-7
Devarakonda, S. (2019). Calculating the economic viability of corporate trainings (Traditional &
eLearning) using benefit-cost ratio (BCR) and return on investment (ROI). International
Journal of Advanced Corporate Learning, 12(1), 41–57. https://doi-
org.proxy1.calsouthern.edu/10.3991/ijac.v12i1.9735
Djeundje, V. B., Crook, J., Calabrese, R., & Hamid, M. (2021). Enhancing credit scoring with
alternative data. Expert Systems with Applications, 163, 113766.
https://doi.org/10.1016/j.eswa.2020.113766
Edwards, B. (2019). Cybersecurity oversight liability. Georgia State University Law Review,
35(663), 663-677. https://ssrn.com/abstract=3390805
Eling, M. (2020). Cyber risk research in business and actuarial science. European Actuarial
Journal, 10(2), 303-333. https://doi.org/10.1007/s13385-020-00250-1
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
81
Gasper, K., Spencer, L. A., & Hu, D. (2019). Does neutral affect exist? How challenging three
beliefs about neutral affect can advance affective research. Frontiers in Psychology, 10.
https://doi.org/10.3389/fpsyg.2019.02476
Geil, A., Sagers, G., Spaulding, A. D., & Wolf, J. R. (2018). Cyber security on the farm: An
assessment of cyber security practices in the United States agriculture industry.
International Food and Agribusiness Management Review, 21(3), 317-334.
https://doi.org/10.22434/ifamr2017.0045
Faul, F., Erdfelder, E., Buchner, A., & Lang, A. (2009). Statistical power analyses using
G*Power 3.1: Tests for correlation and regression analyses. Behavior Research Methods,
41(4), 1149-1160. https://doi.org/10.3758/brm.41.4.1149
Ferrer, R. A., Klein, W. M., Persoskie, A., Avishai-Yitshak, A., & Sheeran, P. (2016). The
tripartite model of risk perception (TRIRISK): Distinguishing deliberative, affective, and
experiential components of perceived risk. Annals of Behavioral Medicine, 50(5), 653-
663. https://doi.org/10.1007/s12160-016-9790-z
Ferri, L., Spanò, R., Maffei, M., & Fiondella, C. (2021). How risk perception influences CEOs'
technological decisions: Extending the technology acceptance model to small and
medium-sized enterprises' technology decision makers. European Journal of Innovation
Management, 24(3), 777-798. http://dx.doi.org/10.1108/EJIM-09-2019-0253
Finucane, M. L., Alhakami, A., Slovic, P., & Johnson, S. M. (2000). The affect heuristic in
judgments of risks and benefits. Journal of Behavioral Decision Making, 13(1), 1-17.
https://doi.org/10.1002/(sici)1099-0771(200001/03)13:1<1::aid-bdm333>3.0.co;2-s
Fitzgerald, T. (2018). CISO compass: Navigating cybersecurity leadership challenges with
insights from pioneers. CRC Press. https://doi.org/10.1201/9780429399015
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
82
Fordyce, T., Green, S., & Groß, T. (2018). Investigation of the effect of fear and stress on
password choice. Proceedings of the 7th Workshop on Socio-Technical Aspects in
Security and Trust - STAST '17. https://doi.org/10.1145/3167996.3168000
Frank, M. L., Grenier, J. H., & Pyzoha, J. S. (2019). How disclosing a prior cyberattack
influences the efficacy of cybersecurity risk management reporting and independent
assurance. Journal of Information Systems, 33(3), 183–200. https://doi-
org.proxy1.calsouthern.edu/10.2308/isys-52374
Fruhlinger, J. (2019, April 30). Does it matter who the CISO reports to? CSO Online.
https://www.csoonline.com/article/3278020/does-it-matter-who-the-ciso-reports-to.html
Gallagher, C. G., Zielinski, K. L., & Boyle, D. M. (2019). The more you say. Internal Auditor,
76(2), 49–53.
Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., & Linkov, I.
(2017). Multicriteria decision framework for cybersecurity risk assessment and
management. Risk Analysis, 40(1), 183-199. https://doi.org/10.1111/risa.12891
Garcia Perez, A., Madzudzo, G., & Morris, D. (2018). Cybersecurity and the auto industry: The
growing challenges presented by connected cars. International Journal of Automotive
Technology and Management, 18(2), 105. https://doi.org/10.1504/ijatm.2018.10013319
Groysberg, B. (2014). The seven skills you need to thrive in the c-suite. Harvard Business
Review Digital Articles, 2–6.
http://search.ebscohost.com.proxy1.calsouthern.edu/login.aspx?direct=true&db=bsx&AN
=118647065&site=eds-live&scope=site
Harris, S., & Maymi, F. (2021). CISSP all-in-One exam guide (9th ed.). McGraw-Hill Education.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
83
Haupt, R. L., & Shockley, A. J. (2018). Analysis paralysis. The Radio Science Bulletin, 366, 23-
24. https://www.ursi.org/content/RSB/RSB_366_2018_09.pdf
Havakhor, T., Rahman, M. S., & Zhang, T. (2021). Cybersecurity investments and the cost of
capital. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3553470
Hooper, V., & McKissack, J. (2016). The emerging role of the CISO. Business Horizons, 59(6),
585-591. https://doi.org/10.1016/j.bushor.2016.07.004
Horsman, G. (2017). Can we continue to effectively police digital crime? Science & Justice,
57(6), 448-454. https://doi.org/10.1016/j.scijus.2017.06.001
Huang, K., & Madnick, S. (2020). A cyberattack doesn’t have to sink your stock price. Harvard
Business Review Digital Articles, 2–5.
Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk. John
Wiley & Sons. https://doi.org/10.1002/9781119162315
In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959, 971 (Del. Ch.1996)
Islam, M. S., Farah, N., & Stafford, T. F. (2018). Factors associated with security/cybersecurity
audit by internal audit function. Managerial Auditing Journal, 33(4), 377–409.
https://doi.org/10.1108/MAJ-07-2017-1595
Karanja, E. (2017). The role of the chief information security officer in the management of IT
security. Information & Computer Security, 25(3), 300-329. https://doi.org/10.1108/ics-
02-2016-0013
Karanja, E., & Rosso, M. A. (2017). The chief information security officer: An exploratory
study. Journal of International Technology & Information Management, 26(2), 23–47.
https://scholarworks.lib.csusb.edu/jitim/vol26/iss2/2
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
84
Keskin, O. F., Caramancion, K. M., Tatar, I., Raza, O., & Tatar, U. (2021). Cyber third-party risk
management: A comparison of non-intrusive risk scoring reports. Electronics, 10(10),
1168. https://doi.org/10.3390/electronics10101168
Kohlhoffer-Mizser, C. (2019). Conflict management-resolution based on trust? Ekonomicko-
manazerske spektrum, 13(1), 72-82. https://doi.org/10.26552/ems.2019.1.72-82
Kott, A., & Arnold, C. (2013). The promises and challenges of continuous monitoring and risk
scoring. IEEE Security & Privacy, 11(1), 90-93. https://doi.org/10.1109/msp.2013.19
Krishna Viraja, V., & Purandare, P. (2021). A qualitative research on the impact and challenges
of cybercrimes. Journal of Physics: Conference Series, 1964(4), 042004.
https://doi.org/10.1088/1742-6596/1964/4/042004
Jalali, M. S., Siegel, M., & Madnick, S. (2019). Decision-making and biases in cybersecurity
capability development: Evidence from a simulation game experiment. The Journal of
Strategic Information Systems, 28(1), 66-82. https://doi.org/10.1016/j.jsis.2018.09.003
Joseph, D. L., Chan, M. Y., Heintzelman, S. J., Tay, L., Diener, E., & Scotney, V. S. (2020). The
manipulation of affect: A meta-analysis of affect induction procedures. Psychological
Bulletin, 146(4), 355–375. https://doi-
org.proxy1.calsouthern.edu/10.1037/bul0000224.supp (Supplemental)
Lanz, J. (2017). The chief information security officer: The new CFO of information security.
CPA Journal, 87(6), 52–57.
http://search.ebscohost.com.proxy1.calsouthern.edu/login.aspx?direct=true&db=bsx&AN
=123973401&site=eds-live&scope=site
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
85
Latkin, C. A., Edwards, C., Davey-Rothwell, M. A., & Tobin, K. E. (2017). The relationship
between social desirability bias and self-reports of health, substance use, and social
network factors among urban substance users in Baltimore, Maryland. Addictive
Behaviors, 73, 133-136. https://doi.org/10.1016/j.addbeh.2017.05.005
Machynska, N., & Boiko, H. (2020). Andragogy - The science of adult education: Theoretical
aspects. Journal of Innovation in Psychology, Education & Didactics, 24(1), 25–34.
http://proxy1.calsouthern.edu/login?url=https://www-proquest-
com.proxy1.calsouthern.edu/scholarly-journals/andragogy-science-adult-education-
theoretical/docview/2479494712/se-2?accountid=35183
Maguire, N., Beyens, K., Boone, M., Laurinavicius, A., & Persson, A. (2015). Using vignette
methodology to research the process of breach comparatively. European Journal of
Probation, 7(3), 1-18. https://doi.org/10.1177/2066220315617271
Maynard, S., Onibere, M., & Ahmad, A. (2018). Defining the strategic role of the chief
information security officer. Pacific Asia Journal of the Association for Information
Systems, 10(3). https://www.researchgate.net/publication/331168444_Defining_the_Strat
egic_Role_of_the_Chief_Information_Security_Officer
McGinn, M. K., & Bosacki, S. L. (2004). Research ethics and practitioners: Concerns and
strategies for novice researchers engaged in graduate education. Forum: Qualitative
Social Research, 5(2). https://doi.org/10.17169/fqs-5.2.615
Menon, T., & Thompson, L. (2016). How to make better decisions with less data. Harvard
Business Review Digital Articles, 2–5.
http://search.ebscohost.com.proxy1.calsouthern.edu/login.aspx?direct=true&db=bsx&AN
=120606104&site=eds-live&scope=site
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
86
Merriam, S. B., Caffarella, R. S., & Baumgartner, L. M. (2020). Learning in adulthood: A
comprehensive guide (3rd ed.). John Wiley & Sons.
Miiro, F. (2020). Confirmatory factor analysis for testing validity and reliability of University
transformation practices as perceived by University staff. UMRAN - International
Journal of Islamic and Civilizational Studies, 7(1), 11-24.
https://doi.org/10.11113/umran2020.7n1.344
NACD. (2019). 2019-2020 NACD Public Company Governance Survey (SUR-092). National
Association of Corporate Directors. https://corpgov.law.harvard.edu/wp-
content/uploads/2020/01/2019-2020-Public-Company-Survey.pdf
Nam, T. (2019). Understanding the gap between perceived threats to and preparedness for
cybersecurity. Technology in Society, 58, 101122.
https://doi.org/10.1016/j.techsoc.2019.03.005
Nemec, P. B. (2018). Is there a return on investment for training? Psychiatric Rehabilitation
Journal, 41(2), 160–162. https://doi-org.proxy1.calsouthern.edu/10.1037/prj0000293
Nestle, V., Täube, F. A., Heidenreich, S., & Bogers, M. (2019). Establishing open innovation
culture in cluster initiatives: The role of trust and information asymmetry. Technological
Forecasting and Social Change, 146, 563-572.
https://doi.org/10.1016/j.techfore.2018.06.022
Nurse, J. R., Creese, S., Goldsmith, M., & Lamberts, K. (2011). Trustworthy and effective
communication of cybersecurity risks: A review. 2011 1st Workshop on Socio-Technical
Aspects in Security and Trust (STAST). https://doi.org/10.1109/stast.2011.6059257
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
87
Nyre, Å. A., & Jaatun, M. G. (2013). Seeking risks: Towards a quantitative risk perception
measure. Availability, Reliability, and Security in Information Systems and HCI, 256-271.
https://doi.org/10.1007/978-3-642-40511-2_18
Orehek, Š., Petrič, G., & Šinigoj, J. (2020). Assessing the human factor of cybersecurity: Can
surveys tell the truth? Lecture Notes in Computer Science, 267-281.
https://doi.org/10.1007/978-3-030-60114-0_18
Pagura, I. (2020). Small business and cyber security. Journal of the Australian Traditional-
Medicine Society, 26(1), 38–39.
http://search.ebscohost.com.proxy1.calsouthern.edu/login.aspx?direct=true&db=c8h&A
N=143040465&site=eds-live&scope=site
Parkin, S., Kuhn, K., & Shaikh, S. A. (2021, May 7). Scenario-driven assessment of cyber risk
perception at the security executive level [Paper presentation]. Workshop on Usable
Security and Privacy (USEC) 2021, Auckland, New Zealand.
Peters, E., Västfjäll, D., Gärling, T., & Slovic, P. (2006). Affect and decision making: A “hot”
topic. Journal of Behavioral Decision Making, 19(2), 79-85.
https://doi.org/10.1002/bdm.528
Plachkinova, M. & Maurer, C. (2018). Teaching case: Security breach at target. Journal of
Information Systems Education, 29(1), 11-20.
http://jise.org/Volume29/n1/JISEv29n1p11.html
Polman, E., & Wu, K. (2019). Decision making for others involving risk: A review and meta-
analysis. Advances in Consumer Research, 47, 813–816.
http://search.ebscohost.com.proxy1.calsouthern.edu/login.aspx?direct=true&db=bsx&AN
=143749151&site=eds-live&scope=site
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
88
Ponemon Institute. (2020). Cost of a data breach report 2020. IBM Security.
https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/pdf
Ramu, G. (2021). To the Point: ISO/FDIS 10014 incorporates the language of business to help
top management understand its intent. Quality Progress, 54(4), 56–59.
http://proxy1.calsouthern.edu/login?url=https://www-proquest-
com.proxy1.calsouthern.edu/magazines/point/docview/2512816997/se-
2?accountid=35183
Renaud, K., Zimmermann, V., Schürmann, T., & Böhm, C. (2021). Exploring cybersecurity-
related emotions and finding that they are challenging to measure. Humanities and Social
Sciences Communications, 8(1). https://doi.org/10.1057/s41599-021-00746-5
Roldán-Molina, G., Almache-Cueva, M., Silva-Rabadão, C., Yevseyeva, I., & Basto-Fernandes,
V. (2017). A comparison of cybersecurity risk analysis tools. Procedia Computer
Science, 121, 568-575. https://doi.org/10.1016/j.procs.2017.11.075
Rosenblum, M., Schroeder, J., & Gino, F. (2020). Tell it like it is: When politically incorrect
language promotes authenticity. Journal of Personality and Social Psychology, 119(1),
75–103. https://doi-org.proxy1.calsouthern.edu/10.1037/pspi0000206.supp
(Supplemental)
Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The board’s role in managing
cybersecurity risks. MIT Sloan Management Review, 59(2), 12–15.
http://proxy1.calsouthern.edu/login?url=https://www-proquest-
com.proxy1.calsouthern.edu/scholarly-journals/boards-role-managing-cybersecurity-
risks/docview/1986317468/se-2?accountid=35183
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
89
Rowe, J. (1998). No such thing as...the language of business: Colourless green ideas sleep
furiously. Management Decision, 36(2), 117. https://doi-
org.proxy1.calsouthern.edu/10.1108/00251749810204205
Sarker, I. H., Kayes, A. S., Badsha, S., Alqahtani, H., Watters, P., & Ng, A. (2020).
Cybersecurity data science: an overview from machine learning perspective. Journal of
Big Data, 7(41). https://doi.org/10.20944/preprints202006.0139.v1
Sen, R. (2018). Challenges to cybersecurity: Current state of affairs. Communications of the
Association for Information Systems, 22-44. https://doi.org/10.17705/1cais.04302
Sartawi, A. M. (2020). Information technology governance and cybersecurity at the board level.
International Journal of Critical Infrastructures, 16(2), 150.
https://doi.org/10.1504/ijcis.2020.107265
Shayo, C., & Lin, F. (2019). An exploration of the evolving reporting organizational structure for
the chief information security officer (CISO) function. Journal of Computer Science and
Information Technology, 7(1). https://doi.org/10.15640/jcsit.v7n1a1
Shetty, S., McShane, M., Zhang, L., Kesan, J. P., Kamhoua, C. A., Kwiat, K., & Njilla, L. L.
(2018). Reducing informational disadvantages to improve cyber risk management.
Geneva Papers on Risk & Insurance, 43(2), 224-238. http://dx.doi.org/10.1057/s41288-
018-0078-3
Shreeve, B., Hallett, J., Edwards, M., Anthonysamy, P., Frey, S., & Rashid, A. (2021). “So if Mr
blue head here clicks the link...” risk thinking in cyber security decision making. ACM
Transactions on Privacy and Security, 24(1), 1-29. https://doi.org/10.1145/3419101
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
90
Shreeve, B., Hallett, J., Edwards, M., Ramokapane, K. M., Atkins, R., & Rashid, A. (2020). The
best laid plans or lack thereof: Security decision-making of different stakeholder groups.
IEEE Transactions on Software Engineering, 1-15.
https://doi.org/10.1109/tse.2020.3023735
Slayton, T. B. (2018). Ransomware: The virus attacking the healthcare industry. Journal of Legal
Medicine, 38(2), 287–311. https://doi-
org.proxy1.calsouthern.edu/10.1080/01947648.2018.1473186
Sriram, M. S. (2005). Information asymmetry and trust: A framework for studying Microfinance
in India. Vikalpa: The Journal for Decision Makers, 30(4), 77-86.
https://doi.org/10.1177/0256090920050407
Stevens, R., Votipka, D., Remiles, E. M., Ahern, C., Sweeney, P., & Mazurek, M. (2018, August
15-17). The battle for New York: A case study of applied digital threat modeling at the
enterprise level [Paper presentation]. Proceedings of the 27th USENIX Security
Symposium, Baltimore, MD.
Stone v. Ritter - 911 A.2d 362 (Del. 2006)
Theofanidis, D., & Fountouki, A. (2018). Limitations and delimitations in the research process.
Perioperative Nursing, 7(3), 155–163. https://doi-
org.proxy1.calsouthern.edu/10.5281/zenodo.2552022
United States Department of Health and Human Services, Office for Civil Rights v. Premera
Blue Cross. (2020). https://www.hhs.gov/sites/default/files/new-haven-resolution-
agreement-corrective-action-plan.pdf
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
91
United States Department of Health and Human Services, Office for Civil Rights v. The City of
New Haven. (2020). https://www.hhs.gov/sites/default/files/new-haven-resolution-
agreement-corrective-action-plan.pdf
United States Department of Health and Human Services, Office for Civil Rights v. CHSPSC
LLC. (2020). https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf
Van Schaik, P., Renaud, K., Wilson, C., Jansen, J., & Onibokun, J. (2020). Risk as affect: The
affect heuristic in cybersecurity. Computers & Security, 90, 101651.
https://doi.org/10.1016/j.cose.2019.101651
Veasey, E. N., & Holland, R. J. (2021). Caremark at the quarter-century watershed: Modern-day
compliance realities frame corporate directors' duty of good faith oversight, providing
new dynamics for respecting chancellor allen's 1996 caremark landmark. The Business
Lawyer, 76(1), 1-29. http://proxy1.calsouthern.edu/login?url=https://www-proquest-
com.proxy1.calsouthern.edu/trade-journals/caremark-at-quarter-century-watershed-
modern-day/docview/2488264547/se-2?accountid=35183
Vleet, J. E. (2012). Informal logical fallacies: A brief guide. University Press of America.
Vogt, W. P., & Johnson, R. B. (2016). The sage dictionary of statistics & methodology: A
nontechnical guide for the social sciences (5th ed.). Sage Publications.
Wachnik, B. (2014). Reducing information asymmetry in IT projects. Informatyka Ekonomiczna,
(31), 212-222. https://doi.org/10.15611/ie.2014.1.17
Walpole, H. D., & Wilson, R. S. (2020). Extending a broadly applicable measure of risk
perception: The case for susceptibility. Journal of Risk Research, 24(2), 135-147.
https://doi.org/10.1080/13669877.2020.1749874
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
92
Walpole, H. D., & Wilson, R. S. (2021). A yardstick for danger: Developing a flexible and
sensitive measure of risk perception. Risk Analysis, 41(3). Advanced one publication.
https://doi.org/10.1111/risa.13704
Wangen, G., Hallstensen, C., & Snekkenes, E. (2017). A framework for estimating information
security risk assessment method completeness. International Journal of Information
Security, 17(6), 681–699. https://doi.org/10.1007/s10207-017-0382-0
Weill, P., Apel, T., Woerner, S. L., & Banner, J. S. (2019). It pays to have a digitally savvy
board: Having board members with experience in digital business is the new financial
performance differentiator. MIT Sloan Management Review, 60(3), 41–45.
http://proxy1.calsouthern.edu/login?url=https://www-proquest-
com.proxy1.calsouthern.edu/scholarly-journals/pays-have-digitally-savvy-
board/docview/2207931038/se-2?accountid=35183
Wertheim, S. (2019). Where the money is. CPA Journal, 89(3), 61.
http://proxy1.calsouthern.edu/login?url=https://www-proquest-
com.proxy1.calsouthern.edu/scholarly-journals/where-money-is-doing-whats-right-
profession/docview/2195780189/se-2?accountid=35183
Wilamowski, G. C., Dever, J. R., & Stuban, S. M. F. (2017). Using analytical hierarchy and
analytical network processes to create cyber security metrics. Defense Acquisition
Research Journal: A Publication of the Defense Acquisition University, 24(2), 186–221.
https://www.dau.edu/library/arj/Lists/PageContent/Attachments/2/ARJ81_Article01_Wil
amowski.pdf
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
93
Williams, C. K., Wynn, D., Madupalli, R., Karahanna, E., & Duncan, B. K. (2014). Explaining
users' security behaviors with the security belief model. Journal of Organizational and
End User Computing, 26(3), 23-46. https://doi.org/10.4018/joeuc.2014070102
Wilson, R. S., Zwickle, A., & Walpole, H. (2018). Developing a broadly applicable measure of
risk perception. Risk Analysis, 39(4), 777-791. https://doi.org/10.1111/risa.13207
Wright, R. S. (2019). Should accounting be the language of business? Research Technology
Management, 62(4), 53–55. https://doi-
org.proxy1.calsouthern.edu/10.1080/08956308.2019.1613121
Wu, K., Sorensen, S., & Sun, L. (2019). Board independence and information asymmetry:
Family firms vs non-family firms. Asian Review of Accounting, 27(3), 329-349.
https://doi.org/10.1108/ara-05-2018-0110
Wu, L., Zeng, S., & Wu, Y. (2018). Affect heuristic and format effect in risk perception. Social
Behavior and Personality: an international journal, 46(8), 1331-1344.
https://doi.org/10.2224/sbp.6957
Zhang, X. A., & Borden, J. (2019). How to communicate cyber-risk? An examination of
behavioral recommendations in cybersecurity crises. Journal of Risk Research, 23(10),
1336-1352. https://doi.org/10.1080/13669877.2019.1646315
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
94
Appendix A: Tables
Table A1
Respondents by Functional Role
Percentage
N
Board/Senior management
46.27%
93
CISO or senior most person
responsible for cybersecurity
53.73%
108
Grand Total
100.00%
201
Notes. Output from Excel shows the distribution of functional areas represented.
Table A2
Respondents by Gender
Percentage
N
Female
31.16%
62
Male
68.84%
137
Grand Total
100.00%
199
Notes. Output from Excel shows the distribution of genders represented. Two respondents chose
not to identify with the Prefer Not to Answer option.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
95
Table A3
Respondents by Sector
Percentage
N
Accommodation
1.49%
3
Administrative
4.48%
9
Agriculture
1.00%
2
Construction
6.97%
14
Educational
4.98%
10
Entertainment
1.99%
4
Finance
12.44%
25
Healthcare
15.42%
31
Information
12.94%
26
Management
1.99%
4
Manufacturing
4.98%
10
Other Services
8.46%
17
Professional
8.96%
18
Public (i.e.,
Government)
1.99%
4
Real Estate
3.48%
7
Retail
4.98%
10
Transportation
3.48%
7
Grand Total
100.00%
201
Notes. Output from Excel shows the distribution of industry sectors represented.
Table A4
Respondents by Metropolitan Area
Percentage
N
I am from another area AND I
formerly resided or work in the
Greater Chicagoland area
11.94%
24
I am from another metropolitan area
53.23%
107
I currently reside or work in or
around the Greater Chicagoland
area
33.33%
67
Prefer not to answer
1.49%
3
Grand Total
100.00%
201
Notes. Output from Excel shows the distribution of metropolitan areas represented.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
96
Appendix B: Figures
Figure B1
G*Power output for sample size calculation – non-parametric
Note. Output from G*Power shows the sample size required for non-normal distribution (Faul et
al., 2009).
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
97
Figure B2
G*Power output for sample size calculation – parametric
Note. Output from G*Power shows the sample size required for normal distribution (Faul et al.,
2009).
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
98
Figure B3
Output for Industry Represented
Note. Output from Excel shows the distribution of industries represented.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
99
Appendix C: Instrument
Demographics
D1 What is your functional role within the organization?
CISO or senior most person responsible for cybersecurity
Board/Senior management
D2 What is the size of your organization?
My organization has more than 1,000 employees
My organization has between 100 and 1,000 employees
My organization has less than 100 employees
D3 To which sector does your organization belong?
Accommodation
Administrative
Agriculture
Construction
Educational
Entertainment
Finance
Healthcare
Information
Management
Manufacturing
Mining
Other Services
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
100
Professional
Public (i.e., Government)
Real Estate
Retail
Trade
Transportation
Utilities
D4 I am:
Male
Female
Other
Prefer not to answer
D5 Which selection most closely describes your location:
I currently reside or work in or around the Greater Chicagoland area
I am from another area AND I formerly resided or work in the Greater Chicagoland area
I am from another metropolitan area
Prefer not to answer
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
101
Vignettes
Tactical Metrics
Please review the following Tactical Metrics.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
102
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
103
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
104
Each score is out of 3 points where a higher score is better.
The Risk score, Likelihood x Impact, is out of 25 points where a score between 3 and 6 is the
acceptable risk range.
The Effort score or resource estimate, Time x People x Money, is out of 125 points.
Based on these tactical metrics, please answer the following questions as though these tactical
metrics were presented for your organization.
Affect
A1 How concerned are you, if at all, about cybersecurity?
1. Not at all concerned
2. Slightly concerned
3. Moderately concerned
4. Very concerned
5. Extremely concerned
A2 When you think about cybersecurity for a moment, to what extent do you feel worried?
1. Not at all worried
2. Slightly worried
3. Moderately worried
4. Very worried
5. Extremely worried
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
105
A3 How afraid are you, if at all, about cybersecurity?
1. Not at all afraid
2. Slightly afraid
3. Moderately afraid
4. Very afraid
5. Extremely afraid
Exposure
Ex1 How likely is it that cybersecurity events will occur in your organization?
1. Not at all likely
2. Somewhat likely
3. Moderately likely
4. Very likely
5. Extremely likely
Ex2 How often do cybersecurity events occur in your community?
1. Almost never
2. Rarely
3. Sometimes
4. Often
5. Frequently
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
106
Ex3 To what extent do you feel you might experience a cybersecurity event in your
organization?
1. Not at all
2. Somewhat
3. Moderately
4. A great deal
5. Extremely
Ex4 How easy or difficult is it to imagine cybersecurity events occurring in this organization?
1. Very difficult
2. Somewhat difficult
3. Neither difficult nor easy
4. Somewhat easy
5. Very easy
Susceptibility
Su1 If you did experience cybersecurity events in your organization, how likely is it that it
would negatively impact you?
1. Not at all likely
2. Somewhat likely
3. Moderately likely
4. Very likely
5. Extremely likely
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
107
Su2 If cybersecurity events were to occur in your organization, how vulnerable would you be
to the impacts?
1. Not at all vulnerable
2. Slightly vulnerable
3. Moderately vulnerable
4. Very vulnerable
5. Extremely vulnerable
Su3 If cybersecurity events occurred in your organization, how likely would you be to suffer
consequences?
1. Not at all likely
2. Somewhat likely
3. Moderately likely
4. Very likely
5. Extremely likely
Severity
Se1 How severe would you expect the consequences of a cybersecurity event to be?
1. Not at all severe
2. Somewhat severe
3. Moderately severe
4. Very severe
5. Extremely severe
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
108
Se2 How severe would the impacts of a cybersecurity event be if you were to suffer them?
1. Not at all severe
2. Somewhat severe
3. Moderately severe
4. Very severe
5. Extremely severe
Se3
If you were to suffer the consequences of a cybersecurity event, how severe would they be likely
to be?
1. Not at all severe
2. Somewhat severe
3. Moderately severe
4. Very severe
5. Extremely severe
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
109
Aggregated Score
Please review the following Scoreboard.
The overall score is out of 100 points where a higher score is better.
The Average Risk Rating is out of 25 points where a score between 3 and 6 is the acceptable risk
range.
Each score for C Values, P Values, I Values, R Values, A Values, and M Values is out of 100
points where a higher score is better.
Each category is defined as follows:
Confidentiality – This score helps in understanding the exposure to losing sensitive data
to include intellectual property, health information, or financial information.
People – This score helps in understanding the exposure where cybersecurity may impact
a person’s, employees or customers, access to organizational resources.
Integrity – This score helps in understanding the exposure to data accuracy,
completeness, and consistency.
Reputation – This score helps in understanding the exposure to the organization’s
reputation
Availability – This score helps in understanding the exposure to ensuring that systems are
up and running and accessible.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
110
Money – This score helps in understanding the exposure to financial losses.
Based on this scoreboard, please answer the following questions as though this scoreboard was
presented for your organization.
Affect
A1 How concerned are you, if at all, about cybersecurity?
1. Not at all concerned
2. Slightly concerned
3. Moderately concerned
4. Very concerned
5. Extremely concerned
A2 When you think about cybersecurity for a moment, to what extent do you feel worried?
1. Not at all worried
2. Slightly worried
3. Moderately worried
4. Very worried
5. Extremely worried
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
111
A3 How afraid are you, if at all, about cybersecurity?
1. Not at all afraid
2. Slightly afraid
3. Moderately afraid
4. Very afraid
5. Extremely afraid
Exposure
Ex1 How likely is it that cybersecurity events will occur in your organization?
1. Not at all likely
2. Somewhat likely
3. Moderately likely
4. Very likely
5. Extremely likely
Ex2 How often do cybersecurity events occur in your community?
1. Almost never
2. Rarely
3. Sometimes
4. Often
5. Frequently
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
112
Ex3 To what extent do you feel you might experience a cybersecurity event in your
organization?
1. Not at all
2. Somewhat
3. Moderately
4. A great deal
5. Extremely
Ex4 How easy or difficult is it to imagine cybersecurity events occurring in this organization?
1. Very difficult
2. Somewhat difficult
3. Neither difficult nor easy
4. Somewhat easy
5. Very easy
Susceptibility
Su1 If you did experience cybersecurity events in your organization, how likely is it that it
would negatively impact you?
1. Not at all likely
2. Somewhat likely
3. Moderately likely
4. Very likely
5. Extremely likely
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
113
Su2 If cybersecurity events were to occur in your organization, how vulnerable would you be
to the impacts?
1. Not at all vulnerable
2. Slightly vulnerable
3. Moderately vulnerable
4. Very vulnerable
5. Extremely vulnerable
Su3 If cybersecurity events occurred in your organization, how likely would you be to suffer
consequences?
1. Not at all likely
2. Somewhat likely
3. Moderately likely
4. Very likely
5. Extremely likely
Severity
Se1 How severe would you expect the consequences of a cybersecurity event to be?
1. Not at all severe
2. Somewhat severe
3. Moderately severe
4. Very severe
5. Extremely severe
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
114
Se2 How severe would the impacts of a cybersecurity event be if you were to suffer them?
1. Not at all severe
2. Somewhat severe
3. Moderately severe
4. Very severe
5. Extremely severe
Se3
If you were to suffer the consequences of a cybersecurity event, how severe would they be likely
to be?
1. Not at all severe
2. Somewhat severe
3. Moderately severe
4. Very severe
5. Extremely severe
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
115
Appendix D: Consent Form
Consent Form
You are being asked to take part in a research study being conducted by Edward Marchewka
under the supervision Dr. John Hannon. The title of the study is:
Reducing Cybersecurity Risk Information Asymmetry Phenomenon: A Prescriptive Approach to
Improving Cybersecurity Risk Perception
Before agreeing to participate in the study, the investigator must explain: (a) the purpose of the
study; (b) the study’s procedures and duration; (c) any potential and foreseeable risks; (d) any
potential discomforts and benefits of participating or the research; (e) whether any
steps/activities incurred during participating are experimental; and (e) how confidentiality and
privacy will be maintained.
The purpose of this effort is to investigate the impact on risk perception through the use of
aggregated metrics.
The survey will take approximately 15-20 minutes. During the survey, you will be asked
questions about your risk perception given the background information provided in the
vignettes/scenarios.
Your responses will be transcribed and transformed into data for the research study.
All collected survey data will remain anonymous; survey data and the UIDs generating table are
technically separated with administrative controls for access. No one will be able to directly
identify participants from the survey results. All collected data will be stored securely within the
survey platform and the California Southern University O365 environment.
There are no known risks if you decide to participate in this research study, nor are there any
costs for participating in the study. The information participants provide will help the
investigator understand how the presentation of risk metrics influences risk perception. The
information collected may not benefit you directly, but what is learned from this study should
provide general benefits to CISOs, Executives, and Board Members.
Further, if you would like to learn about the results of this study, you may request a summary of
results from the investigator at edward.marchewka@my.calsouthern.edu.
Your participation in this survey is voluntary. Even if you decide to participate, you may
withdraw without penalty, or request confidentiality, at any point during the survey. You may
also choose not to answer specific questions or discuss certain subjects during the survey or to
ask to exclude portions of the survey from the study by reaching out to the investigator.
The California Southern University Institutional Review Board (IRB) has reviewed my request
to conduct this project and enlist up to 180 participants. If you have any concerns about your
rights in this study, please contact Brett Gordon, PhD of the California Southern University IRB
at (800) 477-2254 or email brett.gordon@my.calsouthern.edu.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
116
Statement of Consent
By entering my email address and generating a unique identifier, I agree to participate in the
study and to the use of my feedback/data as described above. Further, I agree to print a copy of
this consent form, for my records, as I deem appropriate.
Email
Email Field Appears Here
Participant Bill of Rights
As a participant, you have the following rights. These rights included, and are not limited to, the
following:
the right to be informed of the purpose and nature of the study;
the right to understand the procedures and processes involved with being a participant;
the right to understand the potential risks of participating;
the right to understand how participation may benefit stakeholders;
the right to be informed regarding the voluntary nature of participation;
the right to have information struck/removed from data collection;
the right to withdraw from participation without prejudice;
the right to print a copy of the signed/dated (or electronically signed) consent form;
the right to freely participate without the intervention of force, fraud, bribery, extortion,
deceit, fear, or undue influence;
the right to consult with the IRB regarding any concerns.
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
117
Appendix E: Site Permissions
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
118
Appendix F: IRB Approvals
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76
119
DocuSign Envelope ID: CCBDE6D7-BE3A-4C4B-BAC5-18BF1519AC76