Are you a CISO who doesn’t want to rock the boat? Maybe you feel like to be collaborative you need to let the business units just get on – standing in their way will lead to conflict and bad relationships right? You just want to be seen as helpful…nice even? Well, Robert Axelrod’s seminal work on the Prisoner’s Dilemma provides a compelling lens through which to view the challenges faced by the CISO. Specifically, Axelrod’s paper “Effective Choice in the Prisoner’s Dilemma” which sheds light on why a “Nice,” cooperative approach, when coupled with the willingness to retaliate, is not just strategic but necessary in cybersecurity governance. Let’s find out why…
What is the Prisoner’s Dilemma?
The Prisoner’s Dilemma is a fundamental concept in Game Theory that illustrates why two rational individuals might not cooperate, even if it appears that it is in their best interest to do so. The dilemma is typically presented as a scenario in which two criminals are arrested and interrogated in separate rooms, with no way to communicate with each other. They are given the choice to either betray the other by testifying that the other committed the crime (defect) or to cooperate with the other by remaining silent. If both prisoners choose to remain silent, they receive a minimal sentence due to lack of evidence. However, if one betrays the other while the other remains silent, the betrayer goes free, and the silent prisoner receives the maximum sentence. If both betray each other, they both receive a moderate sentence. The dilemma arises because, although mutual cooperation would lead to a better overall outcome, the rational decision for each, in isolation, is to defect, leading to a worse outcome for both. This scenario elegantly captures the tension between individual rationality and collective benefit, which is highly applicable to cybersecurity governance.
When the Prisoner’s Dilemma is applied to multiple turns (the Iterated Prisoner’s Dilemma) the dynamics of the game fundamentally change, introducing complex strategies and outcomes not present in the single-turn version. In a single iteration, the dominant strategy for both players is to defect, as it offers the best personal outcome regardless of the other player’s choice. However, when the game is played repeatedly, the context of past and future interactions comes into play, affecting decision-making including the possibility of fostering cooperation.
The issue in the Iterated Prisoner’s Dilemma lies in the uncertainty regarding how to optimise long-term gains. Since players have memory of previous rounds, they can adjust their strategies based on the actions of their opponent. This introduces the possibility of retaliation, forgiveness, and the establishment of trust, which do not exist in a single-round game. For example, a strategy that starts with cooperation and then mimics the previous move of the other player (Tit for Tat) can encourage mutual cooperation, leading to higher collective benefits over time.
What did Axelrod find out?
At the heart of Axelrod’s analysis is the concept that cooperation, while beneficial, requires mechanisms to enforce compliance and deter exploitation. This principle is particularly relevant for CISOs, whose role is to safeguard their organisation’s information assets against both external AND internal threats. In this context, internal non-compliance with security policies, especially by those in IT and Project Delivery roles, poses a significant risk. These individuals, given their access to critical systems and information, have the potential to inadvertently (or otherwise) compromise organisational security.
The question then arises: how should a CISO, embodying the “Nice” cooperative strategy, respond to such non-compliance? Drawing from Axelrod, the answer lies in a strategic form of retaliation that is consistent, proportionate, and transparent. It’s not just theory either, we have seen this kind of measured retaliation manifest itself recently between Iran and Pakistan with the apparent outcome that tensions between the two states has not escalated into a more dangerous conflict.
How should a CISO retaliate?
Given CISOs don’t have ballistic missiles at their fingertips, how can they realistically retaliate against non-compliance with internal security policies by others in the business? Firstly, consistency is crucial. Just as Axelrod’s strategy involves retaliating against uncooperative behaviour to discourage future breaches, a CISO must ensure that responses to non-compliance are predictable and aligned with pre-established security policies. Examples could be automatic sanctions for certain types of policy violations, a risk acceptance process is automatically triggered, or a technical change is pushed back, ensuring employees understand the direct consequences of their actions.
Proportionality is equally important. In Axelrod’s approach, retaliation is never more severe than the breach. For a CISO, this means that the response to non-compliance must be appropriate to the level of risk posed by the violation. Minor infractions might warrant a warning or a mandatory training session, whereas more serious breaches could lead to more significant repercussions, such as suspension of access privileges or disciplinary action. The goal is not to punish but to reinforce the importance of security practices and deter future non-compliance.
Transparency in the retaliation process is crucial for maintaining trust and cooperation within the organisation. Just as Axelrod advocates for clarity in the rules of engagement, a CISO should ensure that all employees understand the security policies, the rationale behind them, and the consequences of non-compliance. This can be achieved through regular communication, training sessions, and open forums for feedback and discussion.
Moreover, a “Nice” CISO, while firm in retaliation, should also be open to reconciliation. Axelrod’s strategy suggests that after retaliating, there should be a willingness to forgive and revert to cooperative behaviour if the offending party changes their approach. Applied to cybersecurity, this means that after an employee has faced consequences for non-compliance, they should be offered support and guidance to improve their security practices, fostering a culture of continuous learning and cooperation.
Summing Up
The principles derived from Axelrod’s work on the Prisoner’s Dilemma offer valuable insights for CISOs attempting to embed security policies whilst demonstrating they have the business’ best interests at heart. By adopting a cooperative yet firm approach, embodying consistency, proportionality, and transparency in retaliation, and maintaining an openness to reconciliation, CISOs can effectively manage internal non-compliance, thereby strengthening the organisation’s overall security posture. Given the challenges CISOs face to keep their organisation secure, such strategic finesse is not just advantageous – it’s essential!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
