Abstract for: Unraveling the dynamic complexity of cyber security: Market pressure or decision failure?

Cyber market is characterized by higher workload, increasing expenditures and staff shortages. We also observe certain doubtful decisions towards security incidents can be observed. Both this nature of the cyber security market and these specific incidents triggered our research to explore the systemic structures relevant to the strategic decision-making process. Our research, conducted at an anonymized fortune-500 company, involves serious gaming and multiple case studies. Our results reveal five structures that drive this process. Our serious game results indicate that 56% of experienced decision makers take suboptimal decisions. Our policy analysis suggests that this may yield up to 200% higher security costs. Extrapolation of these results raises the theoretical question: is there really market pressure or a decision-making problem? Further research is required on this subject. In any case, we advocate enhancing the current tools that support the decision-making process by capturing the dynamic nature of cyber security.