Exercising the Right Cyber Judgment When Making Technology Purchase Decisions

According to a report by PAM solutions provider Thycotic in 2020, 58% of IT security leaders say that their organizations are heeding the call for increased security budgets, and are planning to allocate more funds for the next 12 months.

However, a significant portion of the requested investment did not materialize, as the threats that it would address were considered low-risk (and therefore, low priority). Thirty-three percent of respondents say that senior leaders in their organizations don’t have ample understanding of threats — an understanding needed to make informed cyber risk decisions.

Cyber Biases Explained

The growing number of cyberattacks in recent years has prompted organizations to increase their IT budget and invest in reinforced cybersecurity infrastructure. With this increase in demand comes the need for enhanced clarity in cybersecurity judgements among key decision makers. 

In her Forcepoint report titled Thinking About Thinking: Exploring Bias in Cybersecurity with Insights from Cognitive Science, research scientist Dr. Margaret Cunningham enumerated the 6 biases that influence cybersecurity strategies:

  • Availability Bias. This impacts cybersecurity leaders’ ability to perceive threats as either low- or high-risk based on the information made available to them. If attacks carried out by inside actors are everywhere in the news, leaders will be more inclined to prioritize this type of attack, even if that particular threat is less likely to affect their particular organization. 
    • CISOs can overcome this by: leveraging data and tools to gather more information, and building more robust lines of communication with security personnel so that their expertise is also taken into consideration.
  • Aggregate Bias. According to Dr. Cunningham, aggregate bias happens when “we infer something about an individual using data that describes trends for the broader population.” This may then result in an inaccurate understanding of information, as research based on large groups of people can’t always be applied to specific individuals or cases.
    • CISOs can overcome this by: understanding human behavior when reducing human error or addressing the human element of threats; studying behavioral analytics to gain insight into individual behaviors.
  • Confirmation Bias. Cyber leaders may often find themselves looking for sources to support their own theories on why certain events happen. Experienced CISOs often fall victim to confirmation bias when attempting to find explanations that can back their personal claims, at the expense of reliability and validity of information.
    • CISOs can overcome this by: looking at threats from different viewpoints and being open to other perspectives that don’t necessarily align with theirs.
  • Anchoring Bias. Dr. Cunningham describes anchoring as something that occurs when “a person locks onto a specific salient feature or set of features of information early in the decision-making process.” As a result, the information that CISOs have on potential risks and threats anchor employees to focus on those specific threats. However, CISOs may tend to stick to that specific value found in the initial investigation, even when presented with new solutions or required to deviate from the preliminary “anchor.”
    • CISOs can overcome this by: using statistical analysis techniques to reduce over-reliance on early judgments as risk mitigation takes place.
  • The Framing Effect. Security risks are framed in such a way that losses are heavily highlighted. CISOs then make riskier purchasing decisions by opting for a more expensive solution in order to eliminate those potential threats.
    • CISOs can overcome this by: taking a more analytical approach in interpreting framed messaging, and in engaging in a thorough, well-considered cost-benefit analysis.
  • Fundamental Attribution Error. A longstanding joke about staff-induced computing errors within IT and cybersecurity communities is the acronym PEBKAC — “Problem exists between keyboard and chair.” It’s easy to blame risks and threats on users’ security capabilities (or seeming lack therefore). However, blaming end-users papers over the larger issue, namely, that systems, tools, and processes should be engineered to mitigate human error, which will inevitably occur.
    • CISOs can overcome this by: countering self-serving bias; attributing threats to the environmental factors that fuel human error, and not to users’ overall proficiency on a product/solution/security measure. Human beings will inevitably make mistakes, so any good cybersecurity system will anticipate likely sources of error, and create systems and procedures to prevent them. More recently, sophisticated machine learning and autonomous systems have become cutting-edge tools within corporate cybersecurity arsenals, as explained in this informative and timely blog post by Darktrace.

Top Drivers for Decision Makers

Thycotic’s report further outlines the primary sources of information that shape cybersecurity purchasing decisions amongst company leadership. In the United States, decisions appear to be equally driven by existing vendor relationships and independent report sources such as Gartner and Forrester (45%); followed by benchmarking against other companies within their industries (42%). 

But in the United Kingdom, for example, CISOs’ top source is benchmarking against similar-industry companies (48%), with guidance from peers coming in second (43%). This shows how there is no single source of information that all CISOs consult during their decision-making process — it widely varies depending on factors such as location, vendor relationships, and industry peers and competitors.. 

Final Thoughts

Minimizing biases, along with having the right information sources, are two of the main things security and IT leaders should do to avoid making flawed decisions. Dr. Margaret Cunningham also advises, “It’s critical, even in today’s environment of never-ending alerts and dangers, that cybersecurity teams and professionals slow down and think more deeply and strategically in order to combat these biases.”

READ NEXT: Why Your Security Means Everything To Your Digital Transformation Success 

Photo by Valeriy Khan on Unsplash

Privacy Notice

This privacy notice discloses the privacy practices for (www.ascentconf.com). This privacy notice applies solely to information collected by this website. It will notify you of the following:

  • What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
  • What choices are available to you regarding the use of your data.
  • The security procedures in place to protect the misuse of your information.
  • How you can correct any inaccuracies in the information.

Information Collection, Use, and Sharing

We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.

We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request, e.g. to ship an order.

Unless you ask us not to, we may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy.

Your Access to and Control Over Information

You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:

  • See what data we have about you, if any.
  • Change/correct any data we have about you.
  • Have us delete any data we have about you.
  • Express any concern you have about our use of your data.

Security

We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.

Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Web page.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.

If you feel that we are not abiding by this privacy policy, you should contact us immediately via telephone at 202-256-9707 or [email protected].