8 biases that will kill your security program

CISOs and their security teams often hold cognitive biases that get in the way of making the right risk management and incident response decisions. Here are eight of the most common to avoid.

A lost businessman wanders amid conflicting directional signs through the fog.
Gremlin / Getty Images

The decisions that security leaders make can often be influenced by a variety of cognitive biases, some of which are subtle and others that are easy to spot. Avoiding these biases is critical to ensuring that cyber risks are interpreted and acted upon in an appropriate manner especially when major disruptions happen—such as the recent shift to a more distributed work environment because of the COVID-19 pandemic.

"The behavior and decision-making processes of individuals have a direct impact on security," says Sounil Yu, CISO at JupiterOne, a provider of asset management and governance technologies. Human error is the cause for many breaches, so understanding how people think react and behave is essential to good cybersecurity, he says. Understanding behavioral biases is even more important during the remote work era, when personal security hygiene has a greater impact on overall network health and the consequences of even a single wrong decision can ripple across the enterprise.

Here according to Yu and other security experts are some common biases that security leaders are prone to and need to avoid.

1. Confirmation bias

CISOs can make the mistake of assuming that the threat narrative they are inclined to believe is always the right one. "Confirmation bias is when you favor information that confirms your previously established views or beliefs," says Rick Holland, CISO at Digital Shadows. One area where this is especially problematic is attack attribution, or threat attribution where security leaders can easily fall into the trap of pinning blame on a specific nation-state or threat actor simply because they assume that's the case. Instead, CISOs should seek out objective data points to minimize confirmation bias, look at alternative scenarios, and actively challenge their belief system, he says.

To continue reading this article register now

How to choose a SIEM solution: 11 key features and considerations