8 biases that will kill your security program
The decisions that security officials make can often be influenced by a variety of cognitive biases, some of which are subtle and others easy to spot. Avoiding these biases is essential to ensure that cyber risks are interpreted and addressed appropriately, especially when major disruptions occur, such as the recent shift to a more distributed work environment due to the COVID-19 pandemic.
“The behavior and decision-making processes of individuals have a direct impact on security,” says Sounil Yu, CISO at JupiterOne, a provider of asset management and governance technologies. Human error is the root cause of many breaches, so understanding how people think, react and behave is essential for good cybersecurity, he says. Understanding behavioral biases is even more important in the age of remote working, when personal safety hygiene has a greater impact on the overall health of the network and the consequences of a single bad decision can spill over into the whole company.
Here, according to Yu and other security experts, there are common biases that security officials are prone to and should avoid.
1. Confirmation bias
CISOs can make the mistake of assuming that the threat talk they are inclined to believe is always the right one. “Confirmation bias is when you prioritize information that confirms your previously established opinions or beliefs,” says Rick Holland, CISO at Digital Shadows. One area where this is particularly problematic is attack attribution, or threat attribution, where security officials can easily fall into the trap of blaming a specific nation-state or threat actor simply because they assume it is. Instead, CISOs should look for objective data points to minimize confirmation bias, examine alternative scenarios, and actively challenge their belief system, he says.