That rebirth has occurred in the form of cyber warfare. Anyone who operates in this complex and potentially hostile environment must make tough decisions under severe duress, usually with little time and information.
Few people are ever taught how to make a decision. It is either something a person is assumed to have learned throughout life or is taught as a lengthy deliberate process. When taught, the process almost exclusively involves analytical and very deliberate approaches to weighing the various issues to a problem. In other words, a time-consuming methodical deliberation that severely impacts Tempo1.
Defending against a cyberattack requires decision-making to be executed at a tempo that enables the organization to control the event and force the adversary to respond to its tactics. The competitor who is able to respond faster than the opponent can identify opportunities and make decisions that force the opponent into a constant state of reaction.
Perfect decisions aren’t possible, which is often the goal of analytical decision-making models. Many problems cannot be solved optimally, no matter how long or hard a person or team may think about the problem being confronted.
Bruce T. Blythe, Chairman of R3 Continuum once said that decision-making in a crisis is “located somewhere between analysis and intuition.” It is therefore a combination of science and art. The science is the information available at a given time and the art is determining that information falls within an acceptable percentage of the required information to make a decision in which the probability of success is acceptable.
Often the best you can hope for is to devise partial, approximate solutions and refine those over time. In such situations, the ability to make decisions is mostly due to a person’s life experiences, and the perspective (mental models) they bring to the situation. This is the type of situation military decision-makers frequently find themselves in. As such, there are a number of benefits in modeling cyberwarfare decision-making based on military thinking.
Military Thinking
A question that comes from the predicted rebirth of war in Unrestricted Warfare is, “Has China been building a latticework of mental models since 1999 in preparation to achieve their intentions to control the raw resources of the digital global economy: data?” If the answer is yes, then they have a significant advantage in the preparation of the decision-making models, based on their own military thinking, which corporate America must take action to mitigate.
From a military perspective, decisions made within the first hours, days, and even weeks after the start of a crisis are the most critical to ensuring success and mitigating risk. In cybersecurity, hours and days are most critical.
Mental models are a keystone in both military and cyberattack situations. You should create mental models relative to what is being observed in the environment, orient your position to those observations, and constantly update your mental models based on that orientation. If you are doing that you will have the preparation and training required to develop decisive decision-makers in your organization.
Decisions made in an environment of chaos, uncertainty, and fear, require a decisive decision-maker who will, in many instances, make a decision guided by intuition. Intuitive decision-making is making decisions on the basis of experience, feelings, and accumulated judgment. In the context of decision-making, intuition is defined as a “non-sequential information processing model” and can be contrasted with the deliberate style of decision-making.
Training for Battle
Because intuition can influence judgment through emotion and/or cognition, training should be performed through simulation exercises that challenge the individual’s ability to control emotions and make informed decisions supported by the information available and the perspective they have gained from their life experiences and knowledge accumulated (i.e. mental models). To best develop intuitive decision-making, training scenarios should have unrealistically short times for a decision to be made. The situation should involve high stakes related to the action taken and the conditions must be constantly changing. As the repetition of the scenarios is practiced, increasingly challenging conditions should be introduced.
The product of this type of training is the decision-maker’s increased confidence in their intuition. This confidence enables him/her to overcome much of the fear and uncertainty regarding the action to be taken when the unexpected is encountered. If the decision-maker has confidence and trust in their intuition, they will act in a manner that puts an organization ahead of the adversary.
Equally important to creating such confidence and trust is documenting the details of successful and failed risk-reward decision scenarios. A regular review of such documentation can be used to accelerate the development of trusted intuition in a calculated risk-taker.
A paradigm that has been used by military leaders such as Colin Powell in situations requiring the use of intuition in decision-making is the 40/70 rule. While it pains me, as a former Marine, to use a paradigm created in the Army, I find this rule very applicable to the situation confronted in a cyberattack. The 40/70 rule is a two-part approach to decision-making.
- Part 1: Analyze your percentage – Use the formula P= 40 – 70, in which P stands for the probability of success and the numbers indicate the percentage of information acquired. While this can be difficult to judge, an estimate must be made based on where you think you fall in the percentage range of information you feel you have acquired. A portion of this information assessment could be the result of the observations and orientation you have made due to your continuous monitoring.
- Part 2: When you have reached the sweet spot between 40 and 70 percent, then it is up to your intuition to make the right decision. This is where the most effective leaders are born. Decisions are not just based on facts but, also on the leader’s gut instinct. Those leaders with an instinct pointing them in the right direction are the ones who will lead their organization to success. A leader must have the courage to go with their gut because:
- Excessive delays in the name of information-gathering breeds “analysis paralysis”, an infection common in corporations today.
- Procrastination in the name of reducing risk actually increases risk.
Intuition is best used when a person has significant experience and knowledge, which guides that person’s subconscious thought processes. Desired behavior in any discipline, in this instance decision-making, is a learned skill. Regular training and practice will serve to improve the quality of decision-making as well as increase the tempo of decision-making. A slogan in the Marine Corps is applicable to this effort, “The more you sweat in time of peace, the less you bleed in combat”. No organization wants to be in a position of having to take an action never previously attempted when the risks are real and the consequences for the business are potentially severe.
Just as there are consequences for every action, there are also long-reaching consequences for inaction as well. In fact, this is what spurs the idea of the upper limits of the 40/70 rule. Some of the consequences of initiating a decision when you fall outside the parameters of 40-70% include:
When you have less than 40% of the information needed, it can result in:
- Decisions that, while correct, don’t fully address the situation because certain important aspects weren’t known.
- Ill-informed decisions can have negative ramifications for certain groups within the business.
- The wrong decision, for the situation, could have simply been avoided if the minimum 40% had been acquired before it was made.
When you have more than 70% of the information needed, it can result in:
- Missed the opportunity to take control of the situation.
- Security team members have to perform unnecessary damage control while waiting for a decision.
- Lost revenue as a result of the business interruption lasting longer than may have been necessary.
- Brand damage due to required regulatory public notification of confidential data compromised but, could have been avoided.
Deliberate Practice
Throughout this article, I have emphasized the importance of training and preparation if improvement in the performance of decision-making is to be achieved. In that context, I would recommend a program of “Deliberate Practice”. Whether it is a program designed by the individual for personal improvement or by corporate leadership for community improvement, the enhancement of the decision-making process will be noticeable.
Deliberate practice is a highly structured activity engaged in with the specific goal of improving performance. It has no monetary reward and it is not inherently enjoyable but, to gain skills rapidly or approach expert-level status at something, you must learn how to incorporate it into your life.
The four essentials of Deliberate Practice are:
- You must be motivated to attend to the task and exert effort to improve your performance.
- The design of the task should take into account your pre-existing knowledge so that the task can be correctly understood after a brief period of instruction.
- You should receive immediate informative feedback and knowledge of the results of your performance.
- You should repeatedly perform the same or similar tasks.
There is much more to Deliberate Practice but, to explore it beyond this introduction is a study of its own.
There is no disputing the need for continued improvement in decision-making relative to a business interruption caused by a cyberattack event. The ability to achieve that improvement is available if the commitment can be both made and maintained. Neither is an easy decision to make or have the mental toughness and grit to persevere in the effort to improve.