I find the decision making process fascinating for both attackers and defenders. For defenders, I would expect decisions to be based on a thorough understanding of the threats and how they translate through risk into business impact. In fact, this survey indicates that decisions are often based on what peers or analysts think should be done…:
[…] One of the more interesting aspects of this research is the differences noted between the nine countries involved in the survey. The UK (48%), New Zealand (40%), Spain (48%), and Singapore/Malaysia (59%), see benchmarking with industry peers as the top source of information in making informed decisions, whereas the USA (45%) and Australia (47%) lean toward industry analysts such as Gartner or Forrester for direction.
Regardless of the country, CISOs and IT decision makers make their decisions based on facts – what is proven in their industry or evaluated highly by industry analysts – rather than the fear of a cyber incident or audit failure. As we have seen, however, this is not necessarily how they inform their case for board-level approval.