According to a report by PAM solutions provider Thycotic in 2020, 58% of IT security leaders say that their organizations are heeding the call for increased security budgets, and are planning to allocate more funds for the next 12 months.
However, a significant portion of the requested investment did not materialize, as the threats that it would address were considered low-risk (and therefore, low priority). Thirty-three percent of respondents say that senior leaders in their organizations don’t have ample understanding of threats — an understanding needed to make informed cyber risk decisions.
Cyber Biases Explained
The growing number of cyberattacks in recent years has prompted organizations to increase their IT budget and invest in reinforced cybersecurity infrastructure. With this increase in demand comes the need for enhanced clarity in cybersecurity judgements among key decision makers.
In her Forcepoint report titled Thinking About Thinking: Exploring Bias in Cybersecurity with Insights from Cognitive Science, research scientist Dr. Margaret Cunningham enumerated the 6 biases that influence cybersecurity strategies:
- Availability Bias. This impacts cybersecurity leaders’ ability to perceive threats as either low- or high-risk based on the information made available to them. If attacks carried out by inside actors are everywhere in the news, leaders will be more inclined to prioritize this type of attack, even if that particular threat is less likely to affect their particular organization.
- CISOs can overcome this by: leveraging data and tools to gather more information, and building more robust lines of communication with security personnel so that their expertise is also taken into consideration.
- Aggregate Bias. According to Dr. Cunningham, aggregate bias happens when “we infer something about an individual using data that describes trends for the broader population.” This may then result in an inaccurate understanding of information, as research based on large groups of people can’t always be applied to specific individuals or cases.
- CISOs can overcome this by: understanding human behavior when reducing human error or addressing the human element of threats; studying behavioral analytics to gain insight into individual behaviors.
- Confirmation Bias. Cyber leaders may often find themselves looking for sources to support their own theories on why certain events happen. Experienced CISOs often fall victim to confirmation bias when attempting to find explanations that can back their personal claims, at the expense of reliability and validity of information.
- CISOs can overcome this by: looking at threats from different viewpoints and being open to other perspectives that don’t necessarily align with theirs.
- Anchoring Bias. Dr. Cunningham describes anchoring as something that occurs when “a person locks onto a specific salient feature or set of features of information early in the decision-making process.” As a result, the information that CISOs have on potential risks and threats anchor employees to focus on those specific threats. However, CISOs may tend to stick to that specific value found in the initial investigation, even when presented with new solutions or required to deviate from the preliminary “anchor.”
- CISOs can overcome this by: using statistical analysis techniques to reduce over-reliance on early judgments as risk mitigation takes place.
- The Framing Effect. Security risks are framed in such a way that losses are heavily highlighted. CISOs then make riskier purchasing decisions by opting for a more expensive solution in order to eliminate those potential threats.
- CISOs can overcome this by: taking a more analytical approach in interpreting framed messaging, and in engaging in a thorough, well-considered cost-benefit analysis.
- Fundamental Attribution Error. A longstanding joke about staff-induced computing errors within IT and cybersecurity communities is the acronym PEBKAC — “Problem exists between keyboard and chair.” It’s easy to blame risks and threats on users’ security capabilities (or seeming lack therefore). However, blaming end-users papers over the larger issue, namely, that systems, tools, and processes should be engineered to mitigate human error, which will inevitably occur.
- CISOs can overcome this by: countering self-serving bias; attributing threats to the environmental factors that fuel human error, and not to users’ overall proficiency on a product/solution/security measure. Human beings will inevitably make mistakes, so any good cybersecurity system will anticipate likely sources of error, and create systems and procedures to prevent them. More recently, sophisticated machine learning and autonomous systems have become cutting-edge tools within corporate cybersecurity arsenals, as explained in this informative and timely blog post by Darktrace.
Top Drivers for Decision Makers
Thycotic’s report further outlines the primary sources of information that shape cybersecurity purchasing decisions amongst company leadership. In the United States, decisions appear to be equally driven by existing vendor relationships and independent report sources such as Gartner and Forrester (45%); followed by benchmarking against other companies within their industries (42%).
But in the United Kingdom, for example, CISOs’ top source is benchmarking against similar-industry companies (48%), with guidance from peers coming in second (43%). This shows how there is no single source of information that all CISOs consult during their decision-making process — it widely varies depending on factors such as location, vendor relationships, and industry peers and competitors..
Final Thoughts
Minimizing biases, along with having the right information sources, are two of the main things security and IT leaders should do to avoid making flawed decisions. Dr. Margaret Cunningham also advises, “It’s critical, even in today’s environment of never-ending alerts and dangers, that cybersecurity teams and professionals slow down and think more deeply and strategically in order to combat these biases.”
READ NEXT: Why Your Security Means Everything To Your Digital Transformation Success
Photo by Valeriy Khan on Unsplash