“Thinking About Thinking” is Critical to Cybersecurity

Most cybersecurity vulnerabilities are created by human decisions—many of which aren’t made consciously. Here’s why understanding the mental shortcuts we use in decision-making can help strengthen cybersecurity.

istock 1186957660

Humans make a lot of decisions each day, whether we are aware of them or not. Research shows that people make approximately 200 decisions about food every single day1. And, depending on how we define the word “decision,” the daily number can creep into the tens of thousands. Although we may believe our decisions are rational, cognitive scientists argue that we are far less objective than we think. Cognitive biases shape our cybersecurity decisions from the keyboard to the boardroom, and these decisions ultimately determine the effectiveness of our cybersecurity solutions.

Seeing isn’t always believing

Consider the following question:2

Jack is looking at Anne, but Anne is looking at George. Jack is married, but George is not. Is a married person looking at an unmarried person?

  1. Yes
  2. No
  3. Cannot be determined

Up to 80% of respondents select “C.” But the correct answer is actually “A.”

It doesn’t matter whether Anne is married or not. If she is married, she is looking at an unmarried person: George. If she is not married, then Jack is looking at an unmarried person: Anne. The reason people often choose “C” is that Anne’s marital status is not provided in the question. In this example, people use a mental shortcut to link Anne’s missing information and “cannot be determined” rather than thinking through multiple options.

Taking mental shortcuts is not limited to tricky logic questions. We use shortcuts so frequently and effortlessly that we do not even realize we’re doing it. However, humans are also capable of engaging in complex analytic thoughts and solving extraordinarily difficult problems.

The Dual Process Theory explains human thought by separating it into two modes:3

  • System 1 is aligned with human intuition. It is characterized by fast, effortless, and emotional thoughts that we unconsciously link with past experiences, thoughts, and patterns.
  • System 2 is aligned with analytical and logical thought. It is characterized by effortful thinking and reasoning that we are typically aware of.

Whether we like (or realize) it or not, we spend the vast majority of our lives immersed in System 1 thinking. Our brains use System 1 to optimize the body’s energy—20% of which is going toward brain function. System 1 makes it possible to quickly and effortlessly complete the many simple tasks we engage in throughout the day, such as tying shoes, locating sounds, or avoiding potholes while driving.  If we had to depend completely on System 2 and engage in effortful, exact thinking for every decision we faced throughout a day, we might never make it out the front door in the morning.

Although System 1 allows us to function and conserve valuable brainpower, it also creates problems. Our automatic thoughts frequently influence decisions without our awareness—decisions that would be far better suited for a full System 2 analysis. These subconscious influences, or cognitive biases, are systematic departures from logic where rules of thumb supersede the facts at hand.

Decide to do cybersecurity better

Our daily cybersecurity decisions are influenced by our cognitive biases, and while we won’t ever completely escape bias, we can prepare ourselves to make better decisions by thinking about thinking. When we think about thinking, we build awareness of cognitive bias across our organizations, so we can better identify situations where critical decisions and the behaviors they drive are susceptible to increased risk.

Scaling your security strategy to protect remote workers means understanding how workers behave in a remote environment. And Forcepoint is here to help. Visit us to learn more about how risk-adaptive cybersecurity driven by behavioral analytics can secure people and data everywhere.


  1.  Wasink, B. & Sobal, J. (2007). Mindless Eating: The 200 Daily Food Decisions We Overlook. Environment & Behavior, 39, 106-123
  2. Hector Levasque, as cited by Keith Stanovich, “Rational and Irrational Thought: The Thinking that IQ Tests Miss
  3. Daniel Kahneman, Dual Processing Theory, Heuristics, and Bias”

Copyright © 2020 IDG Communications, Inc.