WHY COMPANY LEADERS UNDERINVEST IN SECURITY A Q&A with Alex Blau on Key Behavioral Challenges- and Ways to Address Them By Cynthia B. Hanson 28 Alex Blau is a behavioral scientist and a vice president at the New York nonprofit consulting firm ideas42, which focuses on applying behavioral science to solve some of the world's most persistent social problems. ideas42 began analyzing cybersecurity issues in 2015 when the firm recognized a need to assess security shortcomings through behavioral science. Blau is the author of "The Behavioral Economics of Why Executives Underinvest in Cybersecurity," recently published in the Harvard Business Review. The premise of the article is that cybersecurity avoidance and underinvestment can be partially explained by human biases and contextual features. Cybersecurity underinvestment stems from a mindset that sees security as merely a fortification process of firewalls, etc., that is the responsibility of security personnel; assumes compliance is sufficient if a security framework such as the National Institute of Standards and Technology STRATEGIC ALLIANCE MAGAZINE | Q1 * 2018 (NIST) or Federal Information Security Management Act (FISMA) is in place; believes the present system is sufficient because the company hasn't experienced a recent security breach. I spoke with Blau about the complexity of maintaining security in the workplace and multipartnering environments. What are some of the behaviors that cause companies to underinvest? Alex Blau: C-level executives making decisions about investment in cybersecurity face a pretty daunting problem. Doing it properly requires knowing a few key pieces of information: What are the costs that you might incur if you lose data or if some critical thing goes offline?