Cognitive biases in Informatics and Security

 

Did you know about 43% of cyberattacks are aimed at small businesses, or there are around 2,200 cyberattacks each day which means one cyber attack happens every 11 seconds? Many factors will cause such incidents to happen in the field of cybersecurity every single day, and today, we are going to observe how biases could play a crucial role and how to overcome them.


  


When we hear of data breaches in the news, the largest companies typically dominate the headlines. Small business attacks rarely receive coverage, which will lead to other small business owners with an inflated sense of confidence. We could describe this sense as optimism bias, where the owner assumes their business is less likely to be targeted by cyberattacks which in fact, that is far from the truth. About only 16 percent of small business owners say they are concerned about potential cyberattacks, despite the fact that 43% of all cyberattacks are directed at small businesses that are less likely to recover from an attack compared to the large corporations. 80% of people are known to exhibit optimism bias, and this also applies to cybersecurity. Management, security teams and employees often carry a false, optimistic notion that because they have structured security processes and tools in place, they are immune to cyberattacks. Gaining a clear, accurate understanding of your cybersecurity risk will help you to temper your natural optimism bias and take effective steps to boost your cybersecurity such as:

  • Proactively scanning for malware
  • Implementing a web application firewall
  • Installing patches automatically
  • Backing up important files, and etc. 





Availability Heuristic is another type of bias that exists among cybersecurity. The more frequently one encounters a type of situation, the more readily it is accessible in their memory. When evaluating a security threat or situation, security teams will often rely on their memory, experience or industry trend instead of taking a methodical approach that evaluates all possible risks. Humans are the weakest link in cybersecurity, and opportunistic cybercriminals can easily leverage these biases and manipulate them to their advantage. One way to overcome this issue is to emphasize psychology over technology. Human behaviour must always be the core focus, and cybersecurity controls must be designed around them, not the other way around and in order to do that you must strengthen security culture through regular communications and training. Cybersecurity is primarily a human problem, that is why It’s important that security teams recognize this and change their approach accordingly.

Comments

Post a Comment