Unclear and unidentifiable risk
According to IFOP, 35% of mid-sized company executives consider cyber security to be a strategic risk, while 55% of mid-sized companies assess this risk as significant, but at the same time describe it as “non-priority.” Are we suffering from schizophrenia? Are executives overwhelmed by so many concurrent threats? The answer is much more complex and requires, above all, a great deal of humility... The first thing to understand is that executives are being asked to make decisions in the face of a cyber risk that is perceived as being too vague, distant, intangible, “uncertain, worrying, and complex,” explains Jacques Fradin, MD, a specialist in cognitive psychology. The second factor is the fear that accompanies this cyber risk, both in reality, since it is now proven that this risk can destroy an entire organization, and through the anxiety-inducing communication that has been adopted for years now. This fear then triggers several reactions: denial, overprotection, or reckless risk-taking, and the perception of the stakes is all the more destabilizing. Another factor that should not be overlooked is that the risk incurred is easier to manage emotionally than the risk taken, which can lead to indecision! Our responsibility, and even our guilt, is engaged, even more so when our social image is at stake. “Human decision-making is subject to numerous biases. In situations where we have no control, our brain defaults to a position of withdrawal, avoidance, or denial. This undoubtedly explains why some companies believe they are well protected... against all reason!” explains Jacques Fradin.
Resistance to change
The major factors of resistance to change seem to be present: novelty, which makes risk, which is abstract in nature, even more unreal, in favor of more pressing, more concrete, but also more benign and reassuring everyday issues; the seriousness and complexity of the risks, which paradoxically encourage a wait-and-see attitude or even fatalism... and the context in which we are seeing a proliferation of climatic, ecological, health, economic, social, geopolitical, and other risks. Finally, cyber risk is a new kind of risk. “Highly evolving, difficult to trace, offset, emanating from 'complicit' territories, it involves potential internal human relays within the company, who are aware and malicious and who can trigger a crisis through error or negligence,” emphasizes Dr. Fradin. While all this does not prevent the status quo or the hope of “being able to dodge the bullet”... it does at least allow us to better understand our reaction to decision-making, or more precisely to the lack of decision-making, and the need for discernment, which in this context can be sorely lacking but which, fortunately, is obviously neither irreversible nor insurmountable. With these elements of understanding in place, how can we assess things in a healthy way, with intelligence and critical thinking, or how can we take action to control cyber risks? Being able to make decisions in good conscience also means that advisors must dare to speak up! Dare to speak up and present insightful and operational information that may indeed shake things up, raise eyebrows, or break the consensus in an executive committee or board of directors... To draw a parallel with medicine, hiding your symptoms or medical history from your doctor will distort the diagnosis and therefore the prescribed medical treatment. It is impossible to strengthen your immune system and fight the virus...
So, once again, humans have a key role to play
This approach forces us to step outside our comfort zone in order to make the necessary decisions and control cyber risks. Choosing means giving something up, but it also means, above all, deciding! Let's not forget that great revolutions required courage and perseverance from our illustrious ancestors: proving that the Earth was not flat was no easy task. Today, it seems obvious! Traveling and exploring space, thinking about one day living on the Moon or Mars, are revolutions that rely on risky decisions that are essential to our evolution.
