How Optimism Bias Undermines Cybersecurity
While we like to think of ourselves as highly rational and logical, the human brain is sometimes too optimistic for its own good. For example, in our personal lives, we may be likely to grossly underestimate the chances that we’ll experience a negative life event or be involved in an accident. Psychologists call this optimism bias, a cognitive disconnect that extends well past our personal lives. It’s why CEOs and CTOs invest heavily in cloud-based business transformation efforts but strive to save money on the robust cybersecurity programs needed to keep them secure and running.
When it comes to cybersecurity, an “It won’t happen to us” attitude is not a smart bet; like playing Russian roulette. It breeds a sense of complacency and overconfidence and puts an organization at risk. To overcome this, organizations need to adopt a fact-based approach toward cybersecurity, evaluating the incidence of cyberattacks in their industry and the cost of a potential breach.
Hope for the Best, Prepare for the Worst
In the world of cybersecurity, many of the incidents we read about were almost certainly preceded by an assumption—or at least a reasonable expectation—that preventative measures were in place to prevent just such an incident. If you were to ask yourself how many security practitioners would knowingly or even intentionally jeopardize their security posture, you’d likely answer very few or none. The fact is that most organizations are always assessing their risk posture and looking for ways to efficiently adopt “better practices” that improve their ability to mitigate and respond to attacks. This can be through new technology, processes or workflows or simply increased headcount (if you are lucky enough to find qualified personnel for an open role.) I’d argue that, after many years of speaking with organizations and helping improve their solution and security efficacy, it’s often a mix of all three.
What many organizations find is that they have good monitoring tools, decent defense mechanics and a staff that legitimately wants to improve their security position – not to mention that I’ve never in my career spoken with someone who has wanted to experience a breach! So, how do we systematically remove the bias from choices and make fact-based decisions, moving past the “We don’t have to worry about that” opinion to a position of informed awareness and preparedness? Start with the incident rates in your sector or your organization’s size. These are simply facts, not emotions, and can help set reasonable expectations.
Choose the Right Tools
After moving past “That would never” to “It’s possible,” it’s time to look at tool integrations and workflow improvement opportunities. Many organizations often have the data needed to at least identify suspicious activity. This is where you’ll hear about the volume of events, the data glut or the security operations center (SoC) fatigue.
These aren’t just complaints or personal issues, they are legitimate; without intelligent analysis tools that help narrow down the contributing indicators of the root incident, an incident is increasingly likely. This is where great analytics and machine learning or AI-based tools play a role. SIEMs, for example, aggregate a lot of data in one place and serve a purpose, but unless the logic is programmed with exactly what to look for, an important event may be missed. Sure, most L2 or L3 SoC analysts will get the same result, but it takes time on a human scale. Most of the time, attacks execute on the scale of compute cycles, and like it or not, this can move much faster than human analysts, in most cases.
The good news is many solutions do have inference logic that helps improve the quality of the verdict and reduce the number of datapoints to a finite volume that can be acted upon. This allows a specific security workflow to be repeatably executed whether the incident or event is handled by an L3 SOC engineer or an L2 helpdesk tech. Having accurate, defensible data and a workflow that allows one to resolve the incident as repeatably as making chocolate chip cookies removes the bias, the opinion and the “maybe” from the equation and replaces it with mitigated, resolved or confidence of no incidence.
Eliminate Bias
Information security is a practice that must be constantly challenged and tested to find weaknesses and opportunities for improvement. There is no such thing as “It can’t happen to me” for anyone, due to the pace of change in every industry and the foundational technology we rely on day-to-day. If an organization were to stop using software, disconnect from the internet, remove outside access to any assets of value and ensure nothing could come or go, then perhaps, that degree of isolation would require no further cybersecurity improvements. And that organization would likely cease to exist.
One approach to reducing bias and recognizing it in a practical format is to run exercises and test. This is an effective way to improve the confidence in a process or a solution’s outcome—and equally identify issues. The unproven or untested remains a variable, and that’s where the biases or assumptions hide. As the old adage goes, “practice makes perfect”; or, in this case, reduces the variables. With that increased predictability, biases give way to evidence and the knowledge that the approach is sound. Addressing a bias is a process that first requires awareness of the bias and then methodical elimination of the triggers that lead to a bias response.
With awareness of a bias comes the ability to recognize its effects and manage appropriately, leading to actual confidence that you are effectively reducing the risk of it happening. Understanding that threats exist and are very much real to anyone and everyone is the first step in eliminating bias and protecting an organization. From there, the proper tools can be adopted and steps taken to be ready for anything. Hope for the best, prepare for the worst—that is the ultimate mantra of a great security program.
