Decision Making Before and During Times of Crisis: A Parallel Between Cybersecurity

[harlan4096]

A few lessons to be learned

The coronavirus pandemic is not only the first time in history when a biological virus also affects the cybersecurity industry (through phishing attacks and COVID-19-themed malware) but the way the breakout has been handled so far also resembles the way certain IT decision-makers may react when it comes to dealing with security issues.

Until now, the crisis has been approached from different angles by governments around the world. The pandemic is now causing major disruptions in the way we live and work, and perhaps, irreversibly. It is an unprecedented health and economic disaster, which puts our collective ability to respond to the test.

How prepared are governments when disaster strikes? How about us as citizens? Why don’t we all focus on prevention rather than on dealing with the consequences?

A comparison between decision making in Cybersecurity and the COVID-19 pandemic

If you think about it, in many cases, cyber-attacks and malware behave and spread in ways similar to a pandemic. Some digital threats are even called “viruses”, after all.

But how are decisions taken during the current pandemic versus before and during a cybersecurity crisis?

Without the intention of trying to oversimplify the complexity and severity of the COVID-19 pandemic, I’ve discovered some similarities that I would like to point out.

#1. Inaction fueled by optimism bias

Even though we like to think of ourselves as rational creatures, it’s in human nature to disregard risk associated with – well, anything…

Why? The optimism bias phenomenon is to be blamed. In short, it refers to the belief that we have lower chances of being affected by negative events than other people and that we are more likely to experience positive events than our peers.

The term was coined by Neil D. Weinstein in 1980, who through his experiment discovered that most college students thought their chances of developing a drinking problem or getting divorced were lower than that of their colleagues. Simultaneously, the majority of these students also believed that their chances of positive things happening to them (such as owning a house and growing old) were much higher.

In a recent article, Marie Helweg-Larsen, Professor of Psychology, argues that certain people are refusing to change their behavior during the current coronavirus pandemic due to optimism bias. For instance, if you don’t believe chances are you may be infected, you might think that interacting with your grandmother won’t be harmful. This way, due to the infection’s uncertainty, you tend to minimize risk.

The perception around risk can be difficult to change. But since social distancing and staying at home are now typically considered the moral thing to do, people may be more likely to change their attitude when thinking about keeping others safe (and not themselves, in particular). So, no longer focusing on your own personal risk may fuel a more protective behavior.

Obviously, not only regular citizens found themselves under the optimism bias since the COVID-19 pandemic has emerged. In the same manner, leaders around the world have been crippled by inertia and tended to underestimate the critical impact the novel coronavirus would have on their countries, healthcare systems, and the economy.

HOW COMMON IS OPTIMISM BIAS IN CYBERSECURITY?

Of course, optimism bias can also be observed in the cybersecurity field. In short, this phenomenon prevents some security leaders from taking preventative measures and therefore hinders companies from achieving a good security posture.

The results of a study revealed that security executives are indeed affected by the optimistic bias. The report shows they thought their risk to be substantially lower than that of the companies they were compared with. Furthermore, they seemed to be aware of the existing risks, yet still could not completely grasp the potential consequences’ magnitude.

The same study has shown that subjects, at the very least, acknowledged their interconnectedness with their business partners. Even though they considered themselves to be less prone to risk than other companies, they seemed to perfectly understand that they could themselves become victims due to other parties they have partnered up with. These dangers are nowadays commonly referred to as Supply Chain Attacks or Vendor Email Compromise (VEC) threats.

HOW TO AVOID BIAS WHEN BUILDING YOUR CYBERSECURITY STRATEGY

Biases impact decision-making processes and obviously, the cybersecurity industry is no exception to the rule.

So, how can you, as an IT decision-maker, avoid being under the influence of cognitive biases?

Here are a few points to consider:

* Becoming aware of optimism bias and accepting that the phenomenon is an inherent part of us as humans. This is the first step toward taking impartial, unbiased decisions.

* Looking at real-life examples. Understanding how organizations that match your own profile were impacted by cyberattacks and analyzing how your company would react when faced with a similar scenario. Would it be prepared to deal with an attack or miserably fail? How cyber resilient is your organization?

* Thinking about the overall positive impact of a strong cybersecurity strategy on your business. Now, organizations should not simply being applying scare tactics upon themselves and should start realizing how threat prevention and mitigation will keep their company up and running.
...

Continue Reading