Hersh Shefrin
The arrest last week in Canada of Meng Wanzhou, Huawei’s chief financial officer, injects one more source of uncertainty into a global economy that is increasingly fragile, and into financial markets that reflect a marked uptick in investor anxiety.
To be sure, the narrow issue with Huawei is that it is alleged to have violated U.S. restrictions on trading with Iran. However, there is a broader issue that is a central point of contention in the trade dispute and potential cold war between China and the U.S. That issue is cybertheft.
Chinese cybertheft left a deep wound on Canada, having been a major contributor to the demise of one of its stellar firms, Nortel Networks. Notably, Nortel Network’s lead investigator into the theft identified Huawei as the perpetrator of the cyberattack on the firm, and suggested that the attack was an act of industrial espionage.
Although the Nortel cyberstory is long, here is a short version. In 2000, hackers with China-based Internet addresses obtained the passwords of seven top Nortel executives, including its CEO. Subsequently, these hackers downloaded large amounts of data that included critical proprietary intellectual property. Huawei, which had been one of Nortel’s vendors, not competitors, some years later suddenly emerged as a fierce competitor. Moreover, Huawei did so without evidence of having invested the kind of research and development necessary to reach that level of competitiveness. The combination of the global financial crisis and the ability of firms like Huawei to offer low prices created an environment in which it was impossible for Nortel to compete; and the firm was forced to liquidate.
Amazingly, or perhaps not, is that manufacturing firms have failed to digest the lessons about cybersecurity from cases like the one at Nortel. In recent years, Merck, Mondelez International, and Taiwan Semiconductor Manufacturing Corporation have suffered serious cyberattacks.
Most of these cyberattacks were preventable. It is important to understand that in the world of professional risk management that subscribes to the Kaplan-Mikes risk management typology, “preventable” means low hanging fruit, risks that can and should be addressed, as these risks are easy to mitigate at low cost.
Just last month, The New York Times ran a story on this theme. That story quoted Silicon Valley legend Tom Siebel, who pointed out that manufacturing firms’ approaches to cybersecurity are “sloppy.” In this respect, Siebel stated that the vast majority of cyberpenetration events can be prevented by using off the shelf cyberproducts and fundamental practices that involve employee training, changing passwords, two-factor authorization, and altering USB ports in order that they cannot download. According to insurance firm Chubb, half of manufacturing losses in 2018 resulted from phishing attacks, meaning that people working in manufacturing are clicking on links more frequently than those working in other industries. Less obvious points of cyber vulnerability involve old printers on networks, even if connected but not used, and the use of older versions of operating systems such as outdated Windows XP.
That most recent manufacturing cyberattacks were preventable tells us that the underlying failures were more psychological than technical. Maybe, just maybe, having some understanding about the character of the psychological obstacles that stand in the way of prudent cybersecurity behavior, will help manufacturing firms do a better job managing their exposures to cyberrisk.
I always like to begin by rounding up the usual psychological suspects: excessive optimism, overconfidence, confirmation bias, and aspiration-based risk taking. Excessive optimism is high on the list. Managers in manufacturing firms who are excessively optimistic underestimate the probability that cybercrimes will impact their firms relative to other firms. Overconfidence comes next, as it typically leads managers to refrain from having a coherent approach to having prevented the intrusion, and to be surprised by the magnitude of the event when it materializes. Confirmation bias induces managers to downplay or ignore evidence that indicates the presence of cyberthreats. Aspiration-based risk seeking induces managers to take imprudent risks as they strive to meet high goals.
To the above list, I would add the following psychological fine points. People often choose to do less important tasks over more important tasks because the more important task feels less urgent. Unless cyberintrusion feels like a clear and present danger, cyber security measures will not generate the sense of urgency that tends to spur action.
We know that there are two essential features that lead people to perceive the degree to which threats are risky. The first feature is dread. If firms’ managers do not dread the outcomes of cyber crimes, they will not perceive cyber threats as having high risk. The second feature is familiarity, meaning a sense of understanding the risk. Generally, people who feel they understand a risk, even when they do not, tend to underplay the magnitude of the risk. There is enough hacking of email accounts now for people to feel they understand cyberintrusion, and therefore to underestimate the magnitude of cyberespionage.
If we believe Nortel executives’ sense of who orchestrated the firm's cyberdemise, Huawei is at the top of the list. Cybertheft of intellectual property is a major bone of contention in China-U.S. trade negotiations. Regardless of how these negotiations play out, one thing is clear. Cyberattacks will be a constant threat to manufacturing firms, and the sooner the managers of these firms understand the psychological issues underlying their underreaction to these threats, the more likely they are to take sensible preventative measures to mitigate them.
I have been a behavioral economist for over 40 years, lucky to be studying how psychology impacts the way the financial world works. Currently serving as the Mario L. Belotti Professor of Finance at Santa Clara University, I earned my Bachelor of Science Degree from the Univ...
Hersh Shefrin, Professor of Behavioral Finance, Santa Clara University and author of Beyond Greed & Fear, Behavioral Corporate Finance, and Behavioral Risk Management.
No comments:
Post a Comment