Psychologists have long understood the impact of cognitive biases, such as people’s tendency to fear shark attacks more than mosquitos despite the latter causing vastly more deaths. Now, Security Magazine has broken down a list of the top 10 cognitive biases in cybersecurity.
First on the list is the “affect heuristic,” which has to do with emotional states—if security pros feel good about a particular setup, they might not investigate it closely enough. Next is “anchoring,” where people cling to the first piece of information they are given in reaching a conclusion, for instance focusing on a cyber threat identified by the C-suite rather than checking for threats more widely.
In cybersecurity, the “availability heuristic” basically means security pros relying on their available memories rather than being more methodical in assessing risk. “Bounded rationality” is a cognitive bias where security teams would settle for what is “good enough” rather than optimizing. Another bias is “choice overload,” where, for instance. the murk of conflicting vendor marketing messages may mix up a security team and lead them to using the wrong tool.
Some of the biases on the list are fairly self-explanatory, such as “decision fatigue” and “herd behavior.” The “licensing effect” is where, for example, people may feel they have already done their cybersecurity good deed for the day and may then let their guard down. Rounding out the list are “optimism bias”—people tend to be overly upbeat about their own chances—and “ego depletion,” which relates to people’s diminishing willpower over time.
Separately, as CSO reports, a data breach can be an emotional situation, invoking “panic, anger, and guilt.” Peter Mackenzie, director of the incident response team at Sophos, told CSO that security administrators sometimes can’t take it and quit. Patrick Stacey, author of a paper on employees’ emotional responses to cyberattacks, added that such feelings can metastasize across an organization.
Cybercriminals understand human emotions, too, as OneLogin chief trust and security officer Vanessa Pegueros told Industry Week last year. Pegueros said, “They take advantage of human loneliness, fears around health, and the desperate hopes of quick economic gain.”
According to Verizon’s 2021 Data Breach Investigations Report, 85% of breaches involved a human element.