Toma de decisiones en la gestión de riesgos cibernéticos: una aproximación fenomenológico-hermenéutica
Decision-Making In Cyber Risk Management: A Phenomenological-Hermeneutics Approach
Tomada de decisão na gestão do risco cibernético: uma abordagem fenomenológico-hermenêutica
DOI:
https://doi.org/10.15446/innovar.v34n93.98107Palabras clave:
Ciberseguridad, fenomenología-hermenéutica, gestión de riesgos cibernéticos, incertidumbre, toma de decisiones (es)Cybersecurity, phenomenology-hermeneutics, cyber risk management, uncertainty, decision-making (en)
segurança cibernética, fenomenologia-hermenêutica, gestão de riscos cibernéticos, incerteza, tomada de decisões (pt)
Descargas
Los ciberataques aumentan y sus impactos son difíciles de estimar. El desconocimiento del tipo de riesgo genera alta complejidad y baja capacidad de predicción. En consecuencia, los gerentes toman de-cisiones basados en su experiencia e intuición en escenarios de incer-tidumbre. Esta investigación explora factores intervinientes en la gestión de riesgo cibernético (GRC) desde la perspectiva de los decisores, median-te diseño cualitativo y método fenomenológico-hermenéutico. Se entre-vistaron ocho directivos con amplia experiencia en el campo de la ciber-seguridad en organizaciones colombianas grandes. Como resultado del análisis, desde la experiencia de los entrevistados, se identificaron 191 unidades de sentido que se agruparon en 37 subcategorías, nueve categorías y dos supracategorías, que se integran en un esquema cualitativo, representando la toma de decisiones (TD) desde la perspectiva de decisores en ciberseguridad. Este esquema cualitativo es un aporte necesario, novedoso y original a la comprensión del proceso de TD en la gestión de las tecnologías de la información y la comunicación (TIC), pues permite conocer factores intervinientes en la TD para la GRC, desde la perspectiva de los decisores. Se encontró que, aunque la experiencia del decisor es muy importante, la madurez de la organización incide significativamente en la forma de gestión y toma decisiones. Finalmente, se señalan las limitaciones del estudio.
Cyberattacks are increasing and their impact is difficult to estimate. Lack of awareness on the types of risks generate high complexity and low predictive capacity. Consequently, business managers make decisions based on their experience and intuition in the face of uncertainty scenarios. This research explores the factors involved in cyber risk management (crm) from the perspective of decision-makers, using a qualitative design and a phenomenological-hermeneutic method. Eight executives with extensive experience in the field of cybersecurity at large Colombian organizations were interviewed. As a result of the analysis, 191 units of meaning were identified from the experience of interviewees. These units were grouped into 37 subcategories, nine categories, and two supercategories, which are integrated into a qualitative framework representing decision-making (dm) from the perspective of decision-makers in cybersecurity. This qualitative framework is a necessary, novel, and original contribution to understanding the dm process in the management of information and communication technologies (ict), as it allows for an understanding of factors involved in dm for crm from the perspective of those responsible for making decisions. It was found that although the decision-maker’s experience is important, the maturity of the organization significantly affects the overall management and decision-making process.
Os ataques cibernéticos estão aumentando e seus impactos são difíceis de estimar. O desconhecimento do tipo de risco gera alta complexidade e baixa previsibilidade. Consequentemente, os gerentes tomam decisões com base em sua experiência e intuição em cenários incertos. Esta pesquisa explora os fatores envolvidos no gerenciamento de riscos cibernéticos (grc) sob a perspectiva dos tomadores de decisão, usando um projeto qualitativo e um método fenomenológico-hermenêutico. Foram entrevistados oito gerentes com ampla experiência no campo da segurança cibernética em grandes organizações colombianas. Como resultado da análise, a partir da experiência dos entrevistados, 191 unidades de significado foram identificadas e agrupadas em 37 subcategorias, nove categorias e duas supracategorias, que foram integradas em um esquema qualitativo, representando a tomada de decisão (td) da perspectiva dos tomadores de decisão em segurança cibernética. Essa estrutura qualitativa é uma contribuição necessária, nova e original para a compreensão do processo de td no gerenciamento de tecnologias de informação e comunicação (tic), pois fornece uma visão dos fatores envolvidos na td para grc, sob a perspectiva dos tomadores de decisão. Descobriu-se que, embora a experiência do tomador de decisões seja muito importante, a maturidade da organização tem um impacto significativo na forma como ela gerencia e toma decisões. Por fim, são observadas as limitações do estudo.
Referencias
Abatecola, G., Caputo, A., & Cristofaro, M. (2018). Reviewing cognitive distortions in managerial decision-making. Journal of Management Development, 37(5), 409-424. https://doi.org/10.1108/JMD-08-2017-0263 DOI: https://doi.org/10.1108/JMD-08-2017-0263
Althonayan, A., & Andronache, A. (2018). Shifting from information security towards a cybersecurity paradigm. In Proceedings of the 2018 10th International Conference on Information Management and Engineering (pp. 68–79). https://dl.acm.org/doi/10.1145/3285957.3285971 DOI: https://doi.org/10.1145/3285957.3285971
Balawejder, B., Dankiewicz, R., Ostrowska-Dankiewicz, A., & Tomczyk, T. (2019). The role of insurance in cyber risk management in enterprises. Humanities and Social Sciences, 26(4), 19-32. http://doi.prz.edu.pl/pl/publ/einh/492 DOI: https://doi.org/10.7862/rz.2019.hss.33
Banco Mundial. (2015). Informe sobre el desarrollo mundial 2015: Mente, sociedad y conducta. Grupo Banco Mundial. https://www.worldbank.org/en/publication/wdr2015
Basel, J. S., & Brühl, R. (2013). Rationality and dual process models of reasoning in managerial cognition and decision-making. European Management Journal, 31(6), 745-754. https://doi.org/10.1016/j.emj.2013.07.004 DOI: https://doi.org/10.1016/j.emj.2013.07.004
Bashir, M., Wee, C., Memon, N., & Guo, B. (2017). Profiling cybersecurity competition participants: Self-efficacy, decision-making and interests predict effectiveness of competitions as a recruitment tool. Computers & Security, 65, 153-165. https://doi.org/10.1016/j.cose.2016.10.007Collier, Z., Linkov, I., & Lambert, J. (2013). Four domains of cybersecurity: a risk-based systems approach to cyber decisions. Environ Syst Decis., 33, 469–470, (33), 469-470. https://doi.org/10.1007/s10669-013-9484-z DOI: https://doi.org/10.1016/j.cose.2016.10.007
Damasio, A. (2007). El error de Descartes. Crítica.
Dane, E., & Pratt, M. (2007). Exploring intuition and its role in managerial decision-making. Academy of Management Review, 32(1), 33-54. https://doi.org/10.5465/ amr.2007.23463682 DOI: https://doi.org/10.5465/amr.2007.23463682
De Castro, A., Cardona, E., Gordillo, M. y Támara, S. (2007). Comprensión de la experiencia de ansiedad en un estudiante que pertenece a un grupo artístico de la Universidad del Norte de la ciudad de Barranquilla. Psicología desde el Caribe, (19), 49-80.https://www.redalyc.org/pdf/213/21301904.pdfDe Smidt, G., & Botzen, W. (2018). Perceptions of Corporate Cyber Risks and Insurance Decision-Making. The Geneva Papers on Risk and Insurance-Issues and Practice, 43(2), 239-274. https://doi.org/10.1057/s41288-018-0082-7 DOI: https://doi.org/10.1057/s41288-018-0082-7
Eling, M., McShane, M., & Nguyen, T. (2021), Cyber risk management: History and future research directions. Risk Management and Insurance Review, 24, 93–125. https://doi.org/10.1111/rmir.12169 DOI: https://doi.org/10.1111/rmir.12169
Eling, M., & Wirfs, J. (2019). What are the actual costs of cyber risk events? European Journal of Operational Research, 272(3), 1109–1119. https://doi.org/10.1016/j.ejor.2018.07.021 DOI: https://doi.org/10.1016/j.ejor.2018.07.021
Evans, J., y Stanovich, K. (2013). Dual-process theories of higher cognition: Advancing the debate. Perspectives on Psychological Science, 8(3), 223-241. https:// doi.org/10.1177/1745691612460685 DOI: https://doi.org/10.1177/1745691612460685
Fadde, P., & Klein, G. (2010). Deliberate performance: Accelerating expertise in natural settings. Performance Improvement, 49(9), 5-14. https://doi.org/10.1002/pfi.20175Gatzlaff, K., & McCullough, K. (2010). The effect of data breaches on shareholder wealth. Risk Management and Insurance Review, 13(1), 61–83. https://doi.org/10.1111/j.1540-6296.2010.01178x DOI: https://doi.org/10.1002/pfi.20175
Gigerenzer, G. (2008). Decisiones instintivas. Ariel.
Gioia, D., Corley, K., & Hamilton, A. (2013). Seeking qualitative rigor in inductive research: Notes on the Gioia methodology. Organizational research methods, 16(1), 15-31. https://doi.org/10.1177%2F1094428112452151 DOI: https://doi.org/10.1177/1094428112452151
Giorgi, A. (2010). The Descriptive Phenomenological Method in Psychology. A modified Husserlian Approach. Duquesne University Press.
Goldman, E. (2012). The effect of acquisition decision-making on security posture. Information Management & Computer Security, 20(5) 350-363. https://doi.org/10.1108/09685221211286520 DOI: https://doi.org/10.1108/09685221211286520
Hein, S., & Austin, W. (2001). Empirical and hermeneutic approaches to phenomenological research in psychology: A comparison. Psychological Methods, 6(1), 3-17. https://doi.org/10.1037/1082-989X.6.1.3 DOI: https://doi.org/10.1037//1082-989X.6.1.3
Hernández, R., Fernández, C., y Baptista, P. (2006). Metodología de la investigación. McGraw-Hill.
Hersing, W. (2017). Managing cognitive bias in safety decision-making: Application of emotional intelligence competencies. Journal of Space Safety Engineering, 4(3-4), 124-128. https://doi.org/10.1016/j.jsse.2017.10.001 DOI: https://doi.org/10.1016/j.jsse.2017.10.001
Hogarth, R. (2010). Intuition: A challenge for psychological research on decision-making. Psychological Inquiry, 21(4), 338-353. https://doi.org/10.1080/10478 40X.2010.520260 DOI: https://doi.org/10.1080/1047840X.2010.520260
Hovav, A., & D’Arcy, J. (2003). The impact of denial‐of‐service attack announcements on the market value of firms. Risk Management and Insurance Review, 6(2), 97–121. https://doi.org/10.1046/J.1098-1616.2003.026.x DOI: https://doi.org/10.1046/J.1098-1616.2003.026.x
Isaca, C. (2012). COBIT 5: Un marco de negocio para el gobierno y la gestión de las TI de la Empresa. Rolling Meadows. https://articulosit.files.wordpress.com/2013/07/cobit5-framework-spanish.pdf
ISO 31000: Risk management – Guidelines (2018). https://www.iso.org/standard/65694.html
Jalali, M., Siegel, M., & Madnick, S. (2019). Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment. The Journal of Strategic Information Systems, 28(1), 66-82. https://doi.org/10.1016/j.jsis.2018.09.003 DOI: https://doi.org/10.1016/j.jsis.2018.09.003
Jonassen, D. (2012). Designing for decision-making. Educational technology research and development, (60), 341-359. https://doi.org/10.1007/s11423-011-9230-5 DOI: https://doi.org/10.1007/s11423-011-9230-5
Kahneman, D. (2003). Maps of bounded rationality: Psychology for behavioral economics. The American Economic Review, 93(5), 1449-1475. https://doi.org/10.1257/000282803322655392 DOI: https://doi.org/10.1257/000282803322655392
Kahneman, D., & Klein, G. (2009). Conditions for intuitive expertise: A failure to disagree. American Psychologist, 64(6), 515-526. https://doi.org/10.1037/a0016755 DOI: https://doi.org/10.1037/a0016755
Kamiya, S., Kang, J-K., Kim, J., Milidonis, A., & Stulz, R. (2019, july 25). Risk Management, Firm Reputation, and the Impact of Successful Cyberattacks on Target Firms. [Fisher College of Business Working Paper No. 2018-03-004]. Journal of Financial Economics (JFE), 1-78. http://dx.doi.org/10.2139/ssrn.3135514 DOI: https://doi.org/10.2139/ssrn.3135514
Karake, Z., Shalhoub, R., & Ayas, H. (2017). Enforcing Cybersecurity in Developing and Emerging Economies: Institutions, Laws and Policies. Edward Elgar Publishing. https://doi.org/10.4337/9781785361333 DOI: https://doi.org/10.4337/9781785361333
Kordeš, U. (2009). The phenomenology of decision-making. Interdisciplinary Description of Complex Systems,7(2), 65-77. http://indecs.eu/2009/indecs2009-pp65-77.pdf
Laverty, S. (2003). Hermeneutic phenomenology and phenomenology: A comparison and methodological considerations. International Journal of Qualitative Methods, 2(3), 21-35. https://doi.org/10.1177/160940690300200303 DOI: https://doi.org/10.1177/160940690300200303
Lee, I. (2020). Internet of Things (IoT) cybersecurity: Literature review and IoT cyber risk management. Future Internet, 12(9), 1-21. https://doi.org/10.3390/fi12090157 DOI: https://doi.org/10.3390/fi12090157
Levitt, H., Bamberg, M., Creswell, J., Frost, D., Josselson, R., & Suárez-Orozco, C. (2018). Journal article reporting standards for qualitative primary, qualitative meta-analytic, and mixed methods research in psychology: The APA Publications and Communications Board task force report. American Psychologist, 73(1), 26-46. https://doi.org/10.1037/amp0000151 DOI: https://doi.org/10.1037/amp0000151
Madnick, S. (1978). Management policies and procedures needed for effective computer security. Sloan Management Review, 20(1), 61–74. https://pubmed.ncbi.nlm.nih.gov/10239542/
Manrique, H. (2019). La toma de decisiones: entre la intuición y la deliberación. Universidad EAFIT.
Manrique, H., y Castro de, A. (2019). Toma de decisiones: intuición y deliberación en la experiencia de los decisores. Innovar, 29(73), 149-164. https://doi.org/10.15446/innovar.v29n73.78028 DOI: https://doi.org/10.15446/innovar.v29n73.78028
Marotta, A. & McShane, M. (2018). Integrating a proactive technique into a holistic cyber risk management approach. Risk Management and Insurance Review, 21(3), 435-452. https://doi.org/10.1111/rmir.12109 DOI: https://doi.org/10.1111/rmir.12109
McAfee, J., & Haynes, C. (1989). Computer viruses, worms, data diddlers, killer programs, and other threats to your system: what they are, how they work, and how to defend your PC, Mac or mainframe. St. Martin’s Press. https://www.amazon.com/-/es/John-McAfee/dp/031202889X
Moon, J. (2021). Effect of Emotional Intelligence and Leadership Styles on Risk Intelligent Decision-Making and Risk Management. Journal of Engineering, Project & Production Management, 11(1), 71-81. https://doi.org/10.2478/jeppm-2021-0008 DOI: https://doi.org/10.2478/jeppm-2021-0008
Pfleeger, S., & Caputo, D. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers y security, 31(4), 597-611. https://doi.org/10.1016/j.cose.2011.12.010 DOI: https://doi.org/10.1016/j.cose.2011.12.010
Polkinghorne, D. (1989). Phenomenological research methods. In R. Valle y S. Halling (Eds.), Existential-Phenomenological Perspectives in Psychology. Exploring the Breadth of Human Experience (pp. 41-59). Plenum Press. https://link.springer.com/chapter/10.1007/978-1-4615-6989-3_3 DOI: https://doi.org/10.1007/978-1-4615-6989-3_3
Proctor, R., & Chen, J. (2015). The role of human factors/ergonomics in the science of security: decision-making and action selection in cyberspace. Human Factors, 57(5), 721-727. https://doi.org/10.1177/0018720815585906 DOI: https://doi.org/10.1177/0018720815585906
Ramírez, C., Lopera, J., Zuluaga, M., y Ortiz, J. (2017). El método analítico. Vol. I. Formalización teórica. San Pablo.
Ramrathan, D., & Sibanda, M. (2017). The impact of information technology advancement on intuition in organisations: A phenomenological approach. The Journal of Developing Areas, 51(1), 207-221. https://doi.org/10.1353/jda.2017.0012 DOI: https://doi.org/10.1353/jda.2017.0012
Reber, A. (1989). Implicit learning and tacit knowledge. Journal of Experimental Psychology: General, 118(3), 219-235. http://dx.doi.org/10.1037/0096- 3445.118.3.219 DOI: https://doi.org/10.1037//0096-3445.118.3.219
Sadler-Smith, E., & Burke-Smalley, L. (2014). What do we really understand about how managers make important decisions? Organizational Dynamics, 44(1), 9-16. DOI: http://dx.doi.org/10.1016/j.orgdyn.2014.11.002 DOI: https://doi.org/10.1016/j.orgdyn.2014.11.002
Schwartz, B. (2011). Practical wisdom and organizations. Research in Organizational Behavior, (31), 3-23. https://doi.org/10.1016/j.riob.2011.09.001 DOI: https://doi.org/10.1016/j.riob.2011.09.001
Sheppard, B., Crannell, M., & Moulton, J. (2013). Cyber first aid: proactive risk management and decision-making. Environment Systems and Decisions, 33(4), 530-535. https://doi.org/ 10.1007/s10669-013-9474-1 DOI: https://doi.org/10.1007/s10669-013-9474-1
Simon, H. (1987). Making management decisions: The role of intuition and emotion. Academy of Management Executive, 1(1), 57-64. https://doi.org/10.5465/ame.1987.4275905 DOI: https://doi.org/10.5465/ame.1987.4275905
Sunstein, C. y Thaler, R. (2017). Un pequeño empujón. Taurus.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. https://doi.org/10.1016/j.cose.2013.04.004 DOI: https://doi.org/10.1016/j.cose.2013.04.004
White, L., Pothos, E., & Busemeyer, J. (2015). Insights from quantum cognitive models for organizational decision making. Journal of Applied Research in Memory and Cognition, 4(3), 229-238. https://doi.org/10.1016/j.jarmac.2014.11.002 DOI: https://doi.org/10.1016/j.jarmac.2014.11.002
Woiceshyn, J. (2020). Intuiting and reasoning facilitating subconscious and conscious processing for better decisions in organizations. In M. Sinclair (Ed.), Handbook of Intuition Research as Practice (pp. 2-13). Edward Elgar Publishing. https://doi.org/10.4337/9781788979757 DOI: https://doi.org/10.4337/9781788979757.00008
World Economic Forum (2020). The Global Risks Report 2020. https://www.weforum.org/reports/the-global-risks-report-2020.pdf
Zhang, M., Wang, L., Jajodia, S., Singhal, A., & Albanese, M. (2016). Network diversity: a security metric for evaluating the resilience of networks against zero-day attacks. IEEE Transactions on Information Forensics and Security, 11(5), 1071-1086. https://doi.org/10.1109/TIFS.2016.2516916 DOI: https://doi.org/10.1109/TIFS.2016.2516916
Cómo citar
APA
ACM
ACS
ABNT
Chicago
Harvard
IEEE
MLA
Turabian
Vancouver
Descargar cita
Licencia
Derechos de autor 2024 Innovar
Esta obra está bajo una licencia internacional Creative Commons Atribución-NoComercial-SinDerivadas 4.0.
Todos los artículos publicados por Innovar se encuentran disponibles globalmente con acceso abierto y licenciados bajo los términos de Creative Commons Atribución-No_Comercial-Sin_Derivadas 4.0 Internacional (CC BY-NC-ND 4.0).
Una vez seleccionados los artículos para un número, y antes de iniciar la etapa de cuidado y producción editorial, los autores deben firmar una cesión de derechos patrimoniales de su obra. Innovar se ciñe a las normas colombianas en materia de derechos de autor.
El material de esta revista puede ser reproducido o citado con carácter académico, citando la fuente.
Esta obra está bajo una Licencia Creative Commons: