Just recently I had a trawl of the internet and discovered an interesting theme in relation to devising information security strategies that work.
The theme was that of Cognitive Bias — inherent thinking errors that humans make in processing information. These can be a real hurdle to effective security planning.
Here are a few examples to consider, their potential impact and some thoughts on how they might be overcome.
Senior Management can express great confidence in their existing security infrastructure with statements like: “We didn’t get affected last year at all” or “We spent £40 million on a state-of-the-art security system”. This can also manifest as an exaggerated belief in one’s own abilities or that of the team “We have the best security team in the world”. This is probably not helpful at a time when UK government figures reveal that 46% of firms have been hit with a cyber attack or breach in the past year. Such misplaced confidence can breed complacency and a narrow focus such as solely on perimeter defence. It is better to assume that a security incident is inevitable and to focus on a strategy of building resilience for that eventuality.
This can manifest as a belief that attacks just won’t happen. For example: “We are far too small to be a target” or “Even if we were hit, we’ve got everything backed up”. This kind of optimism can lead to a deprioritization of security and potentially lead to increased vulnerability to threats. Bear in mind that 67% of CISO’s believe their company will be affected by a cyber attack in 2018. Pessimistic realism is a far better approach “When and how badly will we be affected, how can we mitigate against catastrophe?” are questions to ask.
Anchoring is the use of anchors or mental reference points to make a decision even when they are of no direct relevance. For example “We only had a single malware attack 5 years ago” does not apply to the current scenario today. The current scenario has different attack vectors and emerging threats to that of 5 years ago. This kind of anchoring can lead to a corporate ossification of your company security strategy rendering it obsolete. This can be a real issue in more traditional, established companies and organizations
4) Status Quo
Similar to Anchoring — Status Quo refers to the desire to stay with the current course of action. Choice is often difficult, and decision makers may prefer to do nothing or maintain their current course of action because it is easier. However, sticking with a security program because it is “what we did before — and it worked” does not take account of a constantly changing threat landscape. Without a strategy that proactively seeks opportunities to mitigate against risk via resources, tools and collaborations — effective security opportunities are missed. This is especially true with the shift to the cloud and the growth of IOT technology. Fight the status quo in order to respond effectively to emerging threats.
5) Mental Accounting
This concept refers to the way in which people do not treat all their money or resources as being from one big pool — rather they have separate mental accounts that they track in relation to their goals. For example — being more willing to spend money on business operations leading to direct profit whilst being less willing to spend money on security that has no immediate return. Effective security does not bring in profits but it does prevent loss of money, assets, reputation and in some cases lives. The Wannacry attack of 2017 brought operations and key functions to a standstill in the UK NHS. This was found to be a direct result of funding cuts existing IT infrastructure maintenance. Considering that a security incident is inevitable, it makes sense to resource your security infrastructure appropriately.
6) Herding Instinct
This manifests as doing the same thing as similar companies rather than what is right for company X. This can lead to ignoring the specific requirements of company X and devising a security strategy that is entirely wrong for your organisation. An example of this is the retail industry following checkbox compliance with Payment Card Industry data protection requirements. This collective disregard has led to one in three retailers suffering revenue losses as a result of a cyberattack according to the Cisco 2017 Annual Cybersecurity Report.
7) False Consensus
Senior Management may overestimate the extent to which others share their views or only seek out sources that confirm their views. The importance of honest feedback from people with multiple perspectives and backgrounds cannot be underestimated. If everyone thinks the same way they will leave themselves open to the same vulnerabilities. If everybody is agreeing you then it might be Groupthink rather than real consensus.
In my view, one important way that many of these issues can be stemmed is by increasing diversity among senior management.
Overconfidence tends to be a gender issue whereas false consensus is much less likely with a truly diverse boardroom. People from different backgrounds, life experiences and ways of understanding the world are far more likely to point out the blind spots in a discussion or challenge an incumbent view. To truly strengthen an organisation’s security posture, it makes sense to consider your stance from multiple perspectives. You need to broaden and deepen your perspective. This means actively reaching out to people who are different to you and involving people with different ideas you may not agree with. One example of this idea in action is BT’s embracing of neurodiversity in seeking recruits for their cybersecurity division with evidence of success.