THE TRANSITION FROM RISK AWARENESS TO RISK MANAGEMENT

The fifth strategic pillar in improving the cyber resilience of a local authority, or any other organisation, is the implementation of an action and continuous improvement plan.

To ensure we succeed in managing our risks, we must make a collective commitment and take decisions. Awareness of the issues is growing, but action is slow to arrive.
With company directors so experienced in everyday decision-making, how can this bottleneck be explained? To overcome it, we must understand it. Psychology can give us some initial clues.

A vague, indefinable risk

According to IFOP, 35% of executives at mid-market companies consider cyber to be a strategic risk, while 55% evaluate it as important but describe it as “non-priority”.[1]

Why this inability to make up their minds? Are executives overwhelmed by so many parallel threats? The answer is much more complex, and requires, above all, a great deal of humility…


The first element that can help us understand is that executives are required to take decisions in the context of a cyber risk that is seen as too vague, remote, abstract – or “indefinable, worrying and complex”, according to Jacques Fradin, a medical doctor specialising in cognitive psychology.

The second element is the fear that goes along with cyber risk. This fear arises both from reality, because it is now clear that cyber risk can bring a whole organisation to its knees, and from the anxiety-inducing discussions on the subject over the last few years. This fear can lead to several reactions – denial, overprotection or unnecessary risk-taking – making perceptions of what is at stake all the more destabilising.

Another important factor is that a risk imposed from outside is easier to accept emotionally than a risk actively taken, which can encourage people to avoid making decisions! It is easier to ascribe responsibility or blame when a risk is taken, especially when our social image is involved. “Human decision-making is subject to many biases. In situations where we are not in control, our brain automatically adopts a posture of withdrawal, avoidance or denial. This is no doubt why some companies believe they are well protected – against all the evidence!” explains Jacques Fradin.

Resistance to change

Here we see all the main factors in resistance to change: novelty, which makes an already-abstract risk even more unreal, diverting attention towards everyday concerns that are more urgent and concrete but also more benign and reassuring; the severity and complexity of the risks, which paradoxically encourage a policy of wait-and-see or even a fatalistic approach… and a situation in which climate, environmental, health, economic, social, geopolitical and other risks seem to be multiplying.

Lastly, cyber risk belongs to a whole new category. “Evolving quickly, difficult to trace, remote, emanating from ‘complicit’ regions, it also includes the potential for malicious, willing accomplices within the company, able to trigger a crisis through error or negligence,” emphasises Dr Fradin. While none of this prevents the status quo or the hope of “being able to escape the worst”, it helps us understand how to respond to decision-making, or more accurately the failure to take decisions, and the need for sound judgement, which is often sadly lacking in this context. But the good news is that the situation is clearly neither irreversible nor insurmountable.

Following on from these observations, how can we assess things healthily, intelligently and critically, and then take action to manage our cyber risks?

Support and clarification

If business leaders do not have a realistic perception of the risk, we must help them to grasp it using simple, pragmatic diagnostics or analyses. We must clearly explain the risks and the impact of cyber threats for their business, activity and staff. This will help turn a vague, abstract risk into a reality that is suddenly more concrete.

This process involves using mapping tools to represent, quantify and produce simple diagrams of data from our collaborative libraries – information and data shared by executives’ peers. This information reflects risks in specific contexts, taken from the experience of other users, making it possible to deliver very realistic attack scenarios very quickly, in which executives can see their own situations reflected.

Board members can thus access clear, contextualised, comprehensible, concrete information enabling them to understand the true danger situation in which they find themselves, the risks the company must address, their level of protection and the actions to take, with clear levels of priority. Ultimately, all these points enable more enlightened decision-making.

Strategic information sharing

Risky situations can rarely be grasped without external information, and can never be resolved alone. Protection requires risk assessments to be shared and circulated so that the whole community can benefit through a rebound effect.

The parallel with the armed forces is striking – a soldier never leaves for the front alone. Soldiers need others to advance, adapt to the situation and take decisions. Each soldier is thus a transmitter of useful information and a receiver of information from the community. The configuration is exactly the same in the cybersecurity context.

Going beyond security measures that address different technological levels, decisions must relate to both human and structural procedures.

Putting humans and how they think back at the heart of the issue

Let’s be soldiers! Cyber soldiers protecting our shared national and European heritage. This includes you, business leaders. Your role is essential The actions you take are vital. You have the power to decide, illustrating once again that humans are at the heart of the issue. Humans, taking decisions. Humans, taking action.

Taking informed decisions also requires advisers to be brave! They must dare to speak and present informative operational details that can change the story, raise a smile and disrupt the consensus in an executive committee or board of directors.
To use a medical analogy, hiding your symptoms or medical history will lead to your doctor making the wrong diagnosis and prescribing the wrong treatment. This leaves you with depleted immune defences, unable to fight the virus…

So this is another key role that humans must play.

This approach requires us to leave our comfort zones and take the necessary decisions in order to manage our cyber risks. Choosing means giving up options, but above all it means making a decision!

We must not forget that all the great revolutions required our ancestors to show courage and perseverance. Demonstrating that the world is round was not easy. Nowadays it seems obvious! Travelling and exploring space, imagining living on the moon or Mars one day – these are revolutions based on risky decisions that were nonetheless essential for us to evolve.

The same applies to managing cyber risks. It is up to us to decide with courage and humility!


[1] https://www.besse.fr/fr/les-dirigeants-deti-face-la-menace-cyber-point-de-situation

All articles

All articles
Publié dans :
Le :15 March 2021 16 minutes de lecture

Working on behalf of local authorities

Current events illustrate the vulnerability of local authorities of all sizes to cyber risk. Even in 2018, the French strategic […]