Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

The Threat Actor You Can't Detect: Cognitive Bias (securityledger.com) 88

Long-time Slashdot reader chicksdaddy shares news of a recent report from cybersecurity company Forcepoint's X-Lab, examining how cybersecurity decision-making is affected by six common biases: For instance, Forcepoint found that older generations are typically characterized by information security professionals as "riskier users based on their supposed lack of familiarity with new technologies." However, studies have found the opposite to be true: younger people are far more likely to engage in risky behavior like sharing their passwords to streaming services. The presumption that older workers pose more of a risk than younger workers is an example of so-called "aggregate bias," in which subjects make inferences about an individual based on a population trend. Biases like this misinform security professionals by directing their focus to individual users based on their supposed group membership. In turn, analysts wrongly direct their focus to the wrong individuals as sources of security issues.

Availability bias may influence cybersecurity analysts' decision-making in favor of hot topics in the news, which ultimately cloud other information they may know but are not so frequently exposed to; leading them to make less well-rounded decisions. People encounter "confirmation bias" most frequently during research. By neglecting the bigger picture, assumptions are made and research is specifically tailored to confirm those assumptions. When looking for issues, analysts can often find themselves looking for confirmation of what they already believe to be the cause as opposed to searching for all possible causes.

The fundamental attribution error also plays a significant role in misleading security analysts, Forcepoint found. This is manifested when information security analysts or software developers place blame on users being inept instead of considering that their technology may be faulty or that internal factors contributed to a security lapse.

The report also cites what it calls the framing effect. "Security problems are often aggressively worded, and use negative framing strategies to emphasize the potential for loss."
This discussion has been archived. No new comments can be posted.

The Threat Actor You Can't Detect: Cognitive Bias

Comments Filter:
  • Incompeted people build incompetent teams. Risk management only works if you understand risks.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      This report might suggest that the training of a cybersecurity professional should include tools for detecting and understanding both technical, people and organizational failures and weaknesses. Experienced professionals are just not available for every company.

    • by Anonymous Coward

      Exactly, this has nothing to do with "age bias" and everything to do with misplaced security perspective. NO USER, REGARDLESS OF AGE, should be "trusted" or "untrusted, more scrutiny" as a basis of their perceived "group" - and that flawed mentality obviously goes a lot further than just age bias or race/gender/etc bias, it's obviously a complete undoing of a proper tiered/segmented security model. No user regardless of age should be in a position to damage the company even if they should be a malicious a

      • You sound like exactly why the C-Suite doesnâ(TM)t want to actually spend money on this. Youâ(TM)re worldview is actually hopeless. You ask for way too much, and canâ(TM)t justify it. You simply shout âoeyou fail!â The business has to run. If you destroy what you seek to protect in the process of protecting it,... you fail security!

    • by gweihir ( 88907 )

      Indeed. And competent technical people may be more expensive that the ones managing them and when you have them you need to let _them_ call the shots. That does not go well with the typical level of ego found in "leaders".

      The best one-liner I have heard for this is "A players hire A players, B players hire C players."
      The industry is full of B players on all levels of management.

  • It depends (Score:5, Funny)

    by nospam007 ( 722110 ) * on Sunday June 23, 2019 @03:58PM (#58810618)

    "younger people are far more likely to engage in risky behavior like sharing their passwords to streaming services."

    There's a difference between sharing a Netflix/Hulu password and an Amazon one.

    With the latter, you can actually buy something.

    They'll get ripped off and then they get as old and as wise as we are. :-)

    • by AmiMoJo ( 196126 )

      It's also a useless metric without knowing if they use the same password for Netflix and Amazon, and what their take-up rate of 2FA is.

  • by Lije Baley ( 88936 ) on Sunday June 23, 2019 @04:28PM (#58810720)

    Yeah, I had a desk just over the cube wall from the security department for a couple years and had to hear all sort of insularity and other nonsense from over there, the worst of which was when they used "cop talk". I swear half of those people are just like the "whackers" in ham radio -- they carry traffic cones and reflective vests in the trunk of their surplus Crown Vic. The other half of them are former juvenile delinquents now collecting a big check for spouting cool stuff with the word "cyber" in front of it and running script kiddie grade scanning software. Norbert Wiener is spinning so hard in his grave that he could solve our renewable energy crisis.

  • Is it really my cognitive bias or is it my ego biasing me toward my own importance to security? ;)

  • This doesn't sound like cognitive bias so much as the "experts" just not being very good at their job.

    I'm willing to cut them some slack and acknowledge that their job is not especially easy, but they should do better than starting with initial prejudices just made up out of thin air.

  • by Sir Realist ( 1391555 ) on Sunday June 23, 2019 @07:53PM (#58811350)

    "younger people are far more likely to engage in risky behavior like sharing their passwords to streaming services. The presumption that older workers pose more of a risk than younger workers is an example of so-called "aggregate bias," in which subjects make inferences about an individual based on a population trend."

    Look, both confirmation bias and aggregate bias are real things, but you can't just throw the terms into a discussion anywhere and see if they stick. You've just said that studies have found that younger people are more prone to risky behavior. If I assume that that's true (I believe it, but you didn't give me any supporting evidence) then this is the exact opposite of aggregate bias - subjects are making inferences based upon their preconceived notions, in direct contradiction of population trends (which are that it should be younger people who are riskier.) It would be aggregate bias if, knowing what we now know, we assumed the guilt of specific young people based on the results of these studies you're telling us about.

    And it's only confirmation bias if the people getting it wrong are supporting their position by picking and choosing data points where older people have risky behavior, and ignoring data where older people are secure and younger people are risky. Since you never say anything about any specific evidence gathering at all, it's not confirmation bias either. It's just ignoring all the evidence and making up the answer that you already believe; that's not confirmation bias, that's "lying".

  • by AHuxley ( 892839 ) on Sunday June 23, 2019 @07:57PM (#58811358) Journal
    Who spent years with bad people are not going to look after your work.
    Hire on merit and look into the past of your workers.
    Build a great team.
    Grow your brand.
    The "bigger picture" is to look into the past of everyone who you could have to trust and think about who to trust.
    Don't risk your brand, wealth with people who don't like working on your projects.
  • Of course young people do riskier things. It is a constant of human behavior. Detecting this bias is done by questioning your assumptions and then comparing them to available data. That requires you to be smart and able to admit you may be wrong. Seems to me the problem here is people that cannot do that in positions where this is a required skill.

    That makes this (again!) a problem of unqualified people with responsibilities they cannot live up to. And that is usually a sign of "management" trying to do thi

  • Comment removed based on user account deletion
  • That is... wow... that's personally hurtful.

    This is utter garbage, except that I can understand where the author comes from. Let me explain both parts:

    Utter garbage - because I teach in my risk management and ISMS courses extensively about cognitive bias and half a dozen other psychological factors we need to take into account to arrive at good, solid results and make fact-based, good decisions. It's a topic in many of the (good) risk management books I've read as well as the one I've just finished writing

    • In the past five years, the security consultant community has been completely transforming. There are some really impressive companies right now.
      • by Tom ( 822 )

        There always were, even 10 years ago, they just were a minority and didn't have PR departments to get into the newspapers and magazines.

  • like inventing new words? normal people would just call it 'prejudice'.
    you know assuming anything about a person without any facts.

  • For instance, Forcepoint found that older generations are typically characterized by information security professionals as "riskier users based on their supposed lack of familiarity with new technologies."

    "Young people are better with tech" may have been a thing, for certain values of "tech", in the 70s and early 80s. Not since. It survives as a meme though since we are slow to change those.

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...