Risk heuristics in cybersecurity
Availability Bias
Availability bias is due to memory. If an individual often comes across particular information, it readily becomes accessible in their mind. The instances where certain types of information are convenient for being readily available in memory influences how people think an event will occur.
Therefore, reports of ransomware or particular threats can determine what security analysts perceive as risky and also directs how they approach the security issue. Such sensitive elements that frequently hit an analyst’s memory can cause a misdiagnosis of issues in the system that are thought would not happen because of their incidental occurrences.
Moreover, an information security analyst may analyze data on information security using some information security tools. As a result, the analyst may notice patterns leading to the conclusion of specific events for definite timeframes. For example, a security threat may have happened consecutively for four months, and in the last seven days the months, a security analyst sees a pattern. The analyst may correlate the incidences to similar histories and assume an underlying cause. However, it is a norm that conclusions should not be made without prior investigations.
Another problem with availability is the overestimation of the probability of an event. However, some organizations are less technical, implying that they may ignore accurate data about the likelihood of threats. Therefore, such facilities may establish systems that deal with risks that are unlikely to occur.
Information security measures should not be based on fluctuating reports, which require an in-depth interpretation of the technology in use, and the type of data processed for accurate decision making. The phenomenon that circulates the availability bias is the need for both personnel and technology. For instance, humans build the culture within the system, while technology provides an accurate probability of the threats to information security.
Confirmation bias
The era of big data provides information to support almost every opinion and idea. Multiple theories attempting to explain the cause for an incident exist in various networks. However, individuals tend to align with arguments that they agree with when analyzing a question or exploring the cause of an event. Confirmation bias means affirming our beliefs by searching and sticking to information that builds on them.
Apart from influencing how we reason, confirmation biases also affect our memory of information. Generally, people shift their focus and remember only details that they like or perceive as valuable. For example, an analyst may spend enormous time and energy analyzing the cause of an adverse event by looking for factors that they think are correct. Analysts who are experienced in the industry often decide what happened before performing any investigations. Expertise and experience of such analysts may be their weakness, particularly since they would investigate a threat based on what they know.
Similarly, information technology personnel perceive their colleagues as entirely uncompromising when it comes to enforcing information security. However, it turns that not all members of an information security team will be anxious about security measures. Such kind of stereotypical overgeneralizations, including all the IT experts, all information security analysts, all information security consultants, are usually vague and incorrect, whether negative or positive, leading to misleading conclusions.
To overcome confirmation bias, information technology experts and security analysts should be creative and flexible in how they think and reason. Security analysts should be able to focus on different perspectives when analyzing a situation. Through optimum creativity, they will be able to avoid discounting or forgetting unfamiliar information or those that oppose their opinions.
Works Cited
Schneier, B. (2009). Schneier on security. John Wiley & Sons.