We all know that feeling – when we’re sure we’ve locked the door, but then we second guess ourselves and go back to check. Or when we’re sure we turned off the oven, but then we start to worry and go back to double check. These are just a few examples of cognitive biases, which are mental shortcuts that our brain takes in order to save time and energy. While they can be helpful in some situations, they can also lead us astray.
Cognitive biases have a big impact on our decision-making, and this is especially true when it comes to cybersecurity. Because the cyberthreat landscape is constantly changing and evolving, it can be hard to stay ahead of the curve. And when we’re under pressure, our cognitive biases can lead us to make suboptimal decisions.
In 2021, there were more cyberattacks than ever before, and there were 27% more cyber-related data compromises than there were in 2020. According to research by IBM and the Ponemon Institute, the average cost of a data breach as reached $4.24 million in 2021. This is partly because human error accounts for 85% of all breaches. By 2025, cybercrime is predicted to cost the world economy $10.5 trillion every year. We all know that humans are susceptible to making mistakes. The question is, what triggers our behavior and how could organizations better protect themselves from being manipulated? Understanding these answers will help them change the way they deal with information security issues in order to not be so vulnerable.
Here are a few examples of how cognitive biases can impact our cybersecurity decision-making:
Confirmation Bias is the tendency to search for, interpret, or remember information in a way that confirms our preexisting beliefs. When it comes to cybersecurity, confirmation bias can lead us to focus on threats that confirm our existing beliefs about risks we face. For example, if we believe that malware is the biggest threat to our organization, we may pay less attention to other types of threats like phishing or social engineering.
Influence from authority figures:
We tend to defer to authority figures when making decisions. In cybersecurity, this can lead us to make decisions based on the recommendations of vendors or experts without fully understanding the risks involved. This can be especially dangerous when it comes to new technologies, as we may be more likely to adopt them without fully considering the security implications.
This is a bias where humans tend to accept the first piece of information as truth, even if it isn’t necessarily true. For example – when a CISO or C-level executive places too much emphasis on one cyber threat and lower-level employees are thusly anchored in this belief system than assessing all possible threats around them with fresh eyes. For instance, consider how many people have been caught up by fear following the recent global pandemic? That’s because once we’ve seen something happening there’s always tendency for other similar events to occur automatically.
The affect heuristic is a mental shortcut that has significant impact on how we currently feel. For instance, if security staff have a particularly positive impression of something, they might judge it to be low risk and not look beyond what is necessary to determine why this specific situation would be unique from others in terms of potential risks or hazards.
These are just a few examples of how cognitive biases can impact our cybersecurity decision-making. By being aware of these biases, we can make more informed decisions and avoid making costly mistakes. These biases can have serious consequences for companies’ cybersecurity posture impact and take steps to counter them. For example, they can create policies that require security decisions to be based on data and analysis instead of intuition or gut feeling. By taking these steps, companies can make sure that their cybersecurity decisions are based on sound reasoning, rather than cognitive biases.
If you need support in placing professionals within the Cyber Security space, fill out the form below, and one of Softworld’s subject matter experts will be in touch.