The Rational Actor in Cybersecurity is A Mythical Creature

In theory, cybersecurity is a beautifully tidy universe where every participant behaves like a perfectly rational chess grandmaster. Attackers weigh cost versus reward. Organisations invest wisely to reduce risk. Users follow security policies because obviously security is important. In this world, everyone is a logical, well-intentioned adult, which is fanciful because none of this has ever happened.

Take the humble end-user. The rational actor model assumes they will choose the safest option. Yet these are the same individuals who believe a password containing the word password but with an exclamation mark is effectively the digital equivalent of Fort Knox. These are the heroic souls who see a blinking red warning message saying, ‘THIS LINK COULD STEAL YOUR DATA AND YOUR SOUL’, and confidently click ‘Allow’ because they needed to see the dancing cat video.

Then we have the executive stakeholders, yup those paragons of rational investing. The model says they will allocate budget proportionate to risk. When in reality they will happily spend £2 million on a golf simulator for the boardroom before approving funding for multi-factor authentication (MFA). Then when, not if, a breach occurs announce ‘We take cybersecurity seriously, which translated, means ‘We regret everything but the insurance premiums have not doubled yet, so here we are.’

Meanwhile, attackers, still perversely romanticised as hoodie-wearing lone wolves, now run well-structured organisations complete with Human Resources (HR), quarterly Objectives and Key Results (OKRs), employee-of-the-month plaques and ironically, better patch management than many FTSE 500 companies. Their rationality is almost insulting. They have mastered supply chain compromise, automation and return on investment (ROI) calculus. They use AI to exploit humans, while some companies are still debating whether AI tools violate the printer usage policy.

Then there is regulation. Designed with the noble intention of aligning incentives. When in all experience, compliance often evolves into something more trite, a theatrical interpretive dance intended to look like security from a distance. A veritable rule book that the threat actors can use that more often than not signposts the soft underbelly for attacks.

So yes, cybersecurity theoretically operates under the rational actor model. In real life though we are learning that Attackers behave rationally, Corporations behave eventually and Users behave mysteriously.

Which is why the true cornerstone of cybersecurity is not firewalls, AI threat engines or zero trust architectures, it still remains as hope. Oh yes and occasionally and perhaps more offten than not for many, sheer dumb luck which may be the most rational conclusion of all.