Informed Cybersecurity Decisions: A Synthesis of Expert Perspectives

In the current landscape of evolving cyber-threats and limited resources, effective cybersecurity decision-making is critical for organizational resilience. Yet, decision-making in this domain remains challenging. The impact and effectiveness of cybersecurity measures are difficult to quantify, information asymmetries exist between providers and consumers of cybersecurity services, and decisions are frequently made under conditions of uncertainty and limited empirical guidance. Against this backdrop, our research examines the industry-, organizational-, team-, and individual-level factors that cybersecurity professionals across strategic, tactical, and operational roles perceive as shaping effective cybersecurity decision-making, and explores how these factors intersect across levels in practice. Drawing on semi-structured interviews with 36 cybersecurity professionals across six organizations – including operational security roles, governance, risk, and compliance specialists, senior executives and board members – we conducted reflexive thematic analysis to identify key factors shaping decision-making. The findings support several factors previously identified in the literature while also revealing a set of novel decision-shaping factors, including intrinsic motivation, teamwork, user experience beliefs, and confidence. Importantly, the analysis indicates that many factors operate across multiple organizational levels rather than being confined to a single locus of influence. We integrate these insights into a cross-level conceptual model that highlights the intersections of decision-shaping factors across industry, organizational, team, and individual levels. By reframing effective cybersecurity decision-making as a contextually embedded and multi-level process, this study deepens understanding of the factors shaping these decisions in practice, and offers a foundation for future research and reflective organizational practice.