{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T17:43:05Z","timestamp":1781113385461,"version":"3.54.1"},"reference-count":49,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2020,11,8]],"date-time":"2020-11-08T00:00:00Z","timestamp":1604793600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"EPSRC grants MUMBA: Multi-faceted Metrics for ICS Business Risk Analysis","award":["EP\/M002780\/1"],"award-info":[{"award-number":["EP\/M002780\/1"]}]},{"name":"DYPOSIT: Dynamic Policies for Shared Cyber-Physical Infrastructures under Attack","award":["EP\/N021657\/2"],"award-info":[{"award-number":["EP\/N021657\/2"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2021,2,28]]},"abstract":"<jats:p>\n            Cyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation\u2019s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision makers\u2019\n            <jats:italic>risk thinking<\/jats:italic>\n            \u2014their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing dataset derived from a tabletop cyber-physical systems security game.\u00a0 Our analysis identifies four\n            <jats:italic>structural patterns<\/jats:italic>\n            of risk thinking and two\n            <jats:italic>reasoning<\/jats:italic>\n            strategies:\n            <jats:italic>risk-first<\/jats:italic>\n            and\n            <jats:italic>opportunity-first<\/jats:italic>\n            . Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53\u00a0and ISO 27001)\u00a0are followed neither substantially nor exclusively when it comes to decision making. Instead, our analysis finds that decision making is affected by the plasticity of teams\u2014that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.\n          <\/jats:p>","DOI":"10.1145\/3419101","type":"journal-article","created":{"date-parts":[[2020,11,9]],"date-time":"2020-11-09T01:42:26Z","timestamp":1604886146000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["\u201cSo if Mr Blue Head here clicks the link...\u201d Risk Thinking in Cyber Security Decision Making"],"prefix":"10.1145","volume":"24","author":[{"given":"Benjamin","family":"Shreeve","sequence":"first","affiliation":[{"name":"University of Bristol, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Joseph","family":"Hallett","sequence":"additional","affiliation":[{"name":"University of Bristol, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Matthew","family":"Edwards","sequence":"additional","affiliation":[{"name":"University of Bristol, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Pauline","family":"Anthonysamy","sequence":"additional","affiliation":[{"name":"Google, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sylvain","family":"Frey","sequence":"additional","affiliation":[{"name":"Google, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Awais","family":"Rashid","sequence":"additional","affiliation":[{"name":"University of Bristol, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2020,11,8]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Practical Statistics for Medical Research","author":"Altman Douglas G.","unstructured":"Douglas G. Altman . 1990. Practical Statistics for Medical Research . CRC Press , Boca Raton, FL . Douglas G. Altman. 1990. Practical Statistics for Medical Research. CRC Press, Boca Raton, FL."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/RE.2016.39"},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE\u201918)","author":"Bock Kevin","year":"2018","unstructured":"Kevin Bock , George Hughey , and Dave Levin . 2018 . King of the Hill: A novel cybersecurity competition for teaching penetration testing . In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE\u201918) . 9. Kevin Bock, George Hughey, and Dave Levin. 2018. King of the Hill: A novel cybersecurity competition for teaching penetration testing. In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE\u201918). 9."},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1042091.1042094"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1330311.1330325"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jesp.2003.11.003"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1005817.1005828"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1023\/A:1015544715608"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-007-0040-6"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1539-6924.2008.01142.x"},{"key":"e_1_2_1_11_1","doi-asserted-by":"crossref","first-page":"368","DOI":"10.2307\/256784","article-title":"Does decision process matter? A study of strategic decision-making effectiveness","volume":"39","author":"Dean James W.","year":"1996","unstructured":"James W. Dean Jr . and Mark P. Sharfman . 1996 . Does decision process matter? A study of strategic decision-making effectiveness . Academy of Management Journal 39 , 2 (1996), 368 -- 392 . James W. Dean Jr. and Mark P. Sharfman. 1996. Does decision process matter? A study of strategic decision-making effectiveness. Academy of Management Journal 39, 2 (1996), 368--392.","journal-title":"Academy of Management Journal"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516753"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1299015.1299019"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1143120.1143131"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2782813"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.websem.2007.09.005"},{"key":"e_1_2_1_18_1","doi-asserted-by":"crossref","first-page":"613","DOI":"10.2307\/256117","article-title":"Group decision making under threat: The tycoon game","volume":"28","author":"Gladstein Deborah L.","year":"1985","unstructured":"Deborah L. Gladstein and Nora P. Reilly . 1985 . Group decision making under threat: The tycoon game . Academy of Management Journal 28 , 3 (1985), 613 -- 627 . Deborah L. Gladstein and Nora P. Reilly. 1985. Group decision making under threat: The tycoon game. Academy of Management Journal 28, 3 (1985), 613--627.","journal-title":"Academy of Management Journal"},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 6th Workshop on Cyber Security Experimentation and Test (CSET\u201913)","author":"Gondree Mark","unstructured":"Mark Gondree and Zachary N. J. Peterson . 2013. Valuing security by getting [d0x3d!]: Experiences with a network security board game . In Proceedings of the 6th Workshop on Cyber Security Experimentation and Test (CSET\u201913) . 8. Mark Gondree and Zachary N. J. Peterson. 2013. Valuing security by getting [d0x3d!]: Experiences with a network security board game. In Proceedings of the 6th Workshop on Cyber Security Experimentation and Test (CSET\u201913). 8."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/581271.581274"},{"key":"e_1_2_1_21_1","unstructured":"ISO\/IEC. 2013. ISO\/IEC 27001. Technical Report. ISO\/IEC. https:\/\/www.iso.org\/obp\/ui\/#iso:std:iso-iec:27001:ed-2:v1:en.  ISO\/IEC. 2013. ISO\/IEC 27001. Technical Report. ISO\/IEC. https:\/\/www.iso.org\/obp\/ui\/#iso:std:iso-iec:27001:ed-2:v1:en."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jsis.2018.09.003"},{"key":"e_1_2_1_24_1","volume-title":"MacPhail","author":"Keller Ann C.","year":"2012","unstructured":"Ann C. Keller , Chris K. Ansell , Arthur L. Reingold , Mathilde Bourrier , Mark D. Hunter , Sahai Burrowes , and Theresa M . MacPhail . 2012 . Improving pandemic response: A sensemaking perspective on the spring 2009 H1N1 pandemic. Risk, Hazards 8 Crisis in Public Policy 3, 2 (2012), 1--37. Ann C. Keller, Chris K. Ansell, Arthur L. Reingold, Mathilde Bourrier, Mark D. Hunter, Sahai Burrowes, and Theresa M. MacPhail. 2012. Improving pandemic response: A sensemaking perspective on the spring 2009 H1N1 pandemic. Risk, Hazards 8 Crisis in Public Policy 3, 2 (2012), 1--37."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1002\/asi.20722"},{"key":"e_1_2_1_26_1","volume-title":"The Waterborne Evacuation of Lower Manhattan on September 11: A Case of Distributed Sensemaking","author":"Kendra James","unstructured":"James Kendra and Tricia Wachtendorf . 2006. The Waterborne Evacuation of Lower Manhattan on September 11: A Case of Distributed Sensemaking . Disaster Research Center . James Kendra and Tricia Wachtendorf. 2006. The Waterborne Evacuation of Lower Manhattan on September 11: A Case of Distributed Sensemaking. Disaster Research Center."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jebo.2004.11.013"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/CMPASS.1997.613270"},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS\u201917)","author":"M\u2019manga Andrew","year":"2017","unstructured":"Andrew M\u2019manga , Shamal Faily , John McAlaney , and Christopher Williams . 2017 . Folk risk analysis: Factors influencing security analysts\u2019 interpretation of risk . In Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS\u201917) . Andrew M\u2019manga, Shamal Faily, John McAlaney, and Christopher Williams. 2017. Folk risk analysis: Factors influencing security analysts\u2019 interpretation of risk. In Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS\u201917)."},{"key":"e_1_2_1_30_1","volume-title":"Chang","author":"Moore Tyler","year":"2015","unstructured":"Tyler Moore , Scott Dynes , and Frederick R . Chang . 2015 . Identifying How Firms Manage Cybersecurity Investment. Technical Report. Darwin Deason Institute for Cybersecurity, Southern Methodist University . http:\/\/blog.smu.edu\/research\/files\/2015\/10\/SMU-IBM.pdf. Tyler Moore, Scott Dynes, and Frederick R. Chang. 2015. Identifying How Firms Manage Cybersecurity Investment. Technical Report. Darwin Deason Institute for Cybersecurity, Southern Methodist University. http:\/\/blog.smu.edu\/research\/files\/2015\/10\/SMU-IBM.pdf."},{"key":"e_1_2_1_31_1","volume-title":"Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE\u201918)","author":"John","unstructured":"John R. Morelock and Zachary Peterson. 2018. Authenticity, ethicality, and motivation: A formal evaluation of a 10-week computer security alternate reality game for CS undergraduates . In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE\u201918) . 11. John R. Morelock and Zachary Peterson. 2018. Authenticity, ethicality, and motivation: A formal evaluation of a 10-week computer security alternate reality game for CS undergraduates. In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE\u201918). 11."},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10619-010-7077-0"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.6028\/NBS.FIPS.21-1-1975"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/STAST.2011.6059257"},{"key":"e_1_2_1_35_1","unstructured":"Cabinet Office. 2011. Keeping the Country Running: Natural Hazards and Infrastructure. Cabinet Office.  Cabinet Office. 2011. Keeping the Country Running: Natural Hazards and Infrastructure. Cabinet Office."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-16419-4_31"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1080\/07421222.1991.11517914"},{"key":"e_1_2_1_38_1","volume-title":"The role of risk perception for risk management. Reliability Engineering 8 System Safety 59, 1","author":"Renn Ortwin","year":"1998","unstructured":"Ortwin Renn . 1998. The role of risk perception for risk management. Reliability Engineering 8 System Safety 59, 1 ( 1998 ), 49--62. Ortwin Renn. 1998. The role of risk perception for risk management. Reliability Engineering 8 System Safety 59, 1 (1998), 49--62."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4020-6799-0"},{"key":"e_1_2_1_40_1","volume-title":"Speech Act Theory and Pragmatics","author":"Searle John R.","unstructured":"John R. Searle , Ferenc Kiefer , and Manfred Bierwisch . 1980. Speech Act Theory and Pragmatics . Vol. 10 . Springer . John R. Searle, Ferenc Kiefer, and Manfred Bierwisch. 1980. Speech Act Theory and Pragmatics. Vol. 10. Springer."},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE\u201914)","author":"Shostack Adam","year":"2014","unstructured":"Adam Shostack . 2014 . Elevation of privilege: Drawing developers into threat modeling . In Proceedings of the 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE\u201914) . Adam Shostack. 2014. Elevation of privilege: Drawing developers into threat modeling. In Proceedings of the 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE\u201914)."},{"key":"e_1_2_1_42_1","volume-title":"Perception of risk. Science 236, 4799","author":"Slovic Paul","year":"1987","unstructured":"Paul Slovic . 1987. Perception of risk. Science 236, 4799 ( 1987 ), 280--285. Paul Slovic. 1987. Perception of risk. Science 236, 4799 (1987), 280--285."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1080\/13598139.2011.576084"},{"key":"e_1_2_1_44_1","volume-title":"Milliken","author":"Starbuck William H.","year":"1988","unstructured":"William H. Starbuck and Frances J . Milliken . 1988 . Executives\u2019 perceptual filters: What they notice and how they make sense. In The Executive Effect: Concepts and Methods for Studying Top Managers, D. Hambrick (Ed.). JAI Press , 33--65. William H. Starbuck and Frances J. Milliken. 1988. Executives\u2019 perceptual filters: What they notice and how they make sense. In The Executive Effect: Concepts and Methods for Studying Top Managers, D. Hambrick (Ed.). JAI Press, 33--65."},{"key":"e_1_2_1_45_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918)","author":"Stevens Rock","unstructured":"Rock Stevens , Daniel Votipka , Elissa M. Redmiles , Colin Ahern , Patrick Sweeney , and Michelle L. Mazurek . 2018. The battle for New York: A case study of applied digital threat modeling at the enterprise level . In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918) . 621--637. Rock Stevens, Daniel Votipka, Elissa M. Redmiles, Colin Ahern, Patrick Sweeney, and Michelle L. Mazurek. 2018. The battle for New York: A case study of applied digital threat modeling at the enterprise level. In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918). 621--637."},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.2307\/249551"},{"key":"e_1_2_1_47_1","doi-asserted-by":"crossref","unstructured":"Lucy Suchman. 2007. Human-Machine Reconfigurations. Cambridge University Press.  Lucy Suchman. 2007. Human-Machine Reconfigurations. Cambridge University Press.","DOI":"10.1017\/CBO9780511808418"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2011.273"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.2307\/2393339"},{"key":"e_1_2_1_50_1","volume-title":"Sensemaking in Organizations","author":"Weick Karl E.","unstructured":"Karl E. Weick . 1995. Sensemaking in Organizations . Vol. 3 . Sage . Karl E. Weick. 1995. Sensemaking in Organizations. Vol. 3. Sage."},{"key":"e_1_2_1_52_1","volume-title":"Proceedings of the 2011 DiGRA International Conference.","author":"Xu Yan","year":"2011","unstructured":"Yan Xu , Evan Barba , Iulian Radu , Maribeth Gandy , and Blair MacIntyre . 2011 . Chores are fun: Understanding social play in board games for digital tabletop game design . In Proceedings of the 2011 DiGRA International Conference. Yan Xu, Evan Barba, Iulian Radu, Maribeth Gandy, and Blair MacIntyre. 2011. Chores are fun: Understanding social play in board games for digital tabletop game design. In Proceedings of the 2011 DiGRA International Conference."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3419101","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3419101","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:32:05Z","timestamp":1750195925000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3419101"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,11,8]]},"references-count":49,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,2,28]]}},"alternative-id":["10.1145\/3419101"],"URL":"https:\/\/doi.org\/10.1145\/3419101","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,11,8]]},"assertion":[{"value":"2019-09-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-11-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}