The Threat Actor You Can't Detect: Cognitive Bias (securityledger.com) 88
Long-time Slashdot reader chicksdaddy shares news of a recent report from cybersecurity company Forcepoint's X-Lab, examining how cybersecurity decision-making is affected by six common biases:
For instance, Forcepoint found that older generations are typically characterized by information security professionals as "riskier users based on their supposed lack of familiarity with new technologies." However, studies have found the opposite to be true: younger people are far more likely to engage in risky behavior like sharing their passwords to streaming services. The presumption that older workers pose more of a risk than younger workers is an example of so-called "aggregate bias," in which subjects make inferences about an individual based on a population trend. Biases like this misinform security professionals by directing their focus to individual users based on their supposed group membership. In turn, analysts wrongly direct their focus to the wrong individuals as sources of security issues.
Availability bias may influence cybersecurity analysts' decision-making in favor of hot topics in the news, which ultimately cloud other information they may know but are not so frequently exposed to; leading them to make less well-rounded decisions. People encounter "confirmation bias" most frequently during research. By neglecting the bigger picture, assumptions are made and research is specifically tailored to confirm those assumptions. When looking for issues, analysts can often find themselves looking for confirmation of what they already believe to be the cause as opposed to searching for all possible causes.
The fundamental attribution error also plays a significant role in misleading security analysts, Forcepoint found. This is manifested when information security analysts or software developers place blame on users being inept instead of considering that their technology may be faulty or that internal factors contributed to a security lapse.
The report also cites what it calls the framing effect. "Security problems are often aggressively worded, and use negative framing strategies to emphasize the potential for loss."
Availability bias may influence cybersecurity analysts' decision-making in favor of hot topics in the news, which ultimately cloud other information they may know but are not so frequently exposed to; leading them to make less well-rounded decisions. People encounter "confirmation bias" most frequently during research. By neglecting the bigger picture, assumptions are made and research is specifically tailored to confirm those assumptions. When looking for issues, analysts can often find themselves looking for confirmation of what they already believe to be the cause as opposed to searching for all possible causes.
The fundamental attribution error also plays a significant role in misleading security analysts, Forcepoint found. This is manifested when information security analysts or software developers place blame on users being inept instead of considering that their technology may be faulty or that internal factors contributed to a security lapse.
The report also cites what it calls the framing effect. "Security problems are often aggressively worded, and use negative framing strategies to emphasize the potential for loss."
Get off of my lawn (Score:3, Funny)
Finally, a story which lets old farts wave our cane at the peach fuzz post millennial script kids and actually be on topic.
Re: (Score:3)
Uh... no.
Peach fuzz has ALWAYS referred to that fine facial hair boy tend to have just BEFORE they begin shaving.
I do believe millennials have had their minds washed out with soap. I know they think they invented averything and if they didn't invent it, it doesn't exist
Re: (Score:2)
Aren't millenials typically characterized by their love of thick male facial hair?
Re: (Score:1)
Your CISO and his/her management team is cognitive (Score:1)
Incompeted people build incompetent teams. Risk management only works if you understand risks.
Re: (Score:2, Insightful)
It *is* interesting. This phenomenon is human-wide (well, bayesian reasoner wide), but it's only possible to notice it among those who are disagreeing with you, whatever your point of view is.
There are theoretical reasons for believing that the problem cannot be addressed within the bound of bayesian logic, because it stems from disagreement about priors. It has been proven rigorously (can't recall the source) that when bayesian reasoners disagree about their priors in certain ways (damn! I wish I recalle
Re: (Score:2)
Humans aren't machines, for example there's every indication that the world is unfair. Yet pretty much every major religion has some form of karma or judgement day where the good are rewarded and the bad punished to make the world fair. Most people want to believe in a world that's better than the one they're actually living in, you can't fix that with facts because the facts don't support it.
Re: (Score:2)
This phenomenon is human-wide (well, bayesian reasoner wide), but it's only possible to notice it among those who are disagreeing with you, whatever your point of view is.
This is why I enjoy discussing topics with people who have a different opinion or point of view. Those I fully agree with are preaching to the choir, so there's not much to learn. Those with different opinions can be interesting if they know why they hold different opinions and if they have consistency in their thoughts and opinions. Unfortunately I find a lot of people hold opinions that they can't explain or are highly inconsistent.
Re: (Score:2)
This is why I enjoy discussing topics with people who have a different opinion or point of view. Those I fully agree with are preaching to the choir, so there's not much to learn. Those with different opinions can be interesting if they know why they hold different opinions and if they have consistency in their thoughts and opinions. Unfortunately I find a lot of people hold opinions that they can't explain or are highly inconsistent.
The problem is the rise of Post-Modernism in the West. It views everything as perception, with no objective facts or logic necessarily involved, especially if such are inconvenient to desired perceptions of reality. Nearly the entirety of intersectional identity politics, SJW movements, and socialist/socialist-lite ideologies are based on Post-Modernist principles. Post-Modernism is totally antithetical to Enlightenment principles of objective fact and logical consistency which are the basis for science, t
Re: (Score:2, Interesting)
This report might suggest that the training of a cybersecurity professional should include tools for detecting and understanding both technical, people and organizational failures and weaknesses. Experienced professionals are just not available for every company.
Re: (Score:2)
Actually, they DO fall into these traps. It's just that they do so at a higher level of abstraction, or in a much subtler way.
FWIW, I still make arithmetic mistakes. I *know* better, and when I take the time and care I *can* get the right answer and check that it is right. And I still occasionally reverse the direction of a comparison in programming. Training warns you about where mistakes are likely, but it doesn't keep you from making them. And sometimes the error checks aren't feasible...or you just
Re: (Score:2)
The ones that are properly trained don't fall into these traps and have baroque university educations for infosec that just weren't available even a decade ago.
Careful with that bias as well. SOME are better trained and have deeper knowledge, For others, BS, MS, and PhD just mean exactly that, more of the same, and piled higher and deeper respectively.
This is just mismanaged security paradigm. (Score:1)
Exactly, this has nothing to do with "age bias" and everything to do with misplaced security perspective. NO USER, REGARDLESS OF AGE, should be "trusted" or "untrusted, more scrutiny" as a basis of their perceived "group" - and that flawed mentality obviously goes a lot further than just age bias or race/gender/etc bias, it's obviously a complete undoing of a proper tiered/segmented security model. No user regardless of age should be in a position to damage the company even if they should be a malicious a
Re: This is just mismanaged security paradigm. (Score:1)
You sound like exactly why the C-Suite doesnâ(TM)t want to actually spend money on this. Youâ(TM)re worldview is actually hopeless. You ask for way too much, and canâ(TM)t justify it. You simply shout âoeyou fail!â The business has to run. If you destroy what you seek to protect in the process of protecting it,... you fail security!
Re: (Score:3)
Indeed. And competent technical people may be more expensive that the ones managing them and when you have them you need to let _them_ call the shots. That does not go well with the typical level of ego found in "leaders".
The best one-liner I have heard for this is "A players hire A players, B players hire C players."
The industry is full of B players on all levels of management.
It depends (Score:5, Funny)
"younger people are far more likely to engage in risky behavior like sharing their passwords to streaming services."
There's a difference between sharing a Netflix/Hulu password and an Amazon one.
With the latter, you can actually buy something.
They'll get ripped off and then they get as old and as wise as we are. :-)
Re: (Score:2)
Re: (Score:2)
It's also a useless metric without knowing if they use the same password for Netflix and Amazon, and what their take-up rate of 2FA is.
Re: Wow, there's some serious idiocy in this "repo (Score:1)
Hey, give them a break. This is Websense trying to use flame bait marketing to remind the world that despite of enraging generations of infosec engineers by their bugs and false positives, and changing hands multiple times, the company is not dead. Yet.
Off topic (Score:2)
Sigh
Aggressive wording (Score:3)
Yeah, I had a desk just over the cube wall from the security department for a couple years and had to hear all sort of insularity and other nonsense from over there, the worst of which was when they used "cop talk". I swear half of those people are just like the "whackers" in ham radio -- they carry traffic cones and reflective vests in the trunk of their surplus Crown Vic. The other half of them are former juvenile delinquents now collecting a big check for spouting cool stuff with the word "cyber" in front of it and running script kiddie grade scanning software. Norbert Wiener is spinning so hard in his grave that he could solve our renewable energy crisis.
Wait a second... (Score:2)
Is it really my cognitive bias or is it my ego biasing me toward my own importance to security? ;)
Type of bias (Score:2)
This doesn't sound like cognitive bias so much as the "experts" just not being very good at their job.
I'm willing to cut them some slack and acknowledge that their job is not especially easy, but they should do better than starting with initial prejudices just made up out of thin air.
That's not what that means (Score:4, Insightful)
"younger people are far more likely to engage in risky behavior like sharing their passwords to streaming services. The presumption that older workers pose more of a risk than younger workers is an example of so-called "aggregate bias," in which subjects make inferences about an individual based on a population trend."
Look, both confirmation bias and aggregate bias are real things, but you can't just throw the terms into a discussion anywhere and see if they stick. You've just said that studies have found that younger people are more prone to risky behavior. If I assume that that's true (I believe it, but you didn't give me any supporting evidence) then this is the exact opposite of aggregate bias - subjects are making inferences based upon their preconceived notions, in direct contradiction of population trends (which are that it should be younger people who are riskier.) It would be aggregate bias if, knowing what we now know, we assumed the guilt of specific young people based on the results of these studies you're telling us about.
And it's only confirmation bias if the people getting it wrong are supporting their position by picking and choosing data points where older people have risky behavior, and ignoring data where older people are secure and younger people are risky. Since you never say anything about any specific evidence gathering at all, it's not confirmation bias either. It's just ignoring all the evidence and making up the answer that you already believe; that's not confirmation bias, that's "lying".
Bad people (Score:3)
Hire on merit and look into the past of your workers.
Build a great team.
Grow your brand.
The "bigger picture" is to look into the past of everyone who you could have to trust and think about who to trust.
Don't risk your brand, wealth with people who don't like working on your projects.
Re: (Score:2)
Why should you be unable to detect this? (Score:2)
Of course young people do riskier things. It is a constant of human behavior. Detecting this bias is done by questioning your assumptions and then comparing them to available data. That requires you to be smart and able to admit you may be wrong. Seems to me the problem here is people that cannot do that in positions where this is a required skill.
That makes this (again!) a problem of unqualified people with responsibilities they cannot live up to. And that is usually a sign of "management" trying to do thi
Re: (Score:2)
utter garbage (Score:2)
That is... wow... that's personally hurtful.
This is utter garbage, except that I can understand where the author comes from. Let me explain both parts:
Utter garbage - because I teach in my risk management and ISMS courses extensively about cognitive bias and half a dozen other psychological factors we need to take into account to arrive at good, solid results and make fact-based, good decisions. It's a topic in many of the (good) risk management books I've read as well as the one I've just finished writing
Re: (Score:2)
Re: (Score:2)
There always were, even 10 years ago, they just were a minority and didn't have PR departments to get into the newspapers and magazines.
aggregate bias? (Score:2)
like inventing new words? normal people would just call it 'prejudice'.
you know assuming anything about a person without any facts.
yep (Score:2)
For instance, Forcepoint found that older generations are typically characterized by information security professionals as "riskier users based on their supposed lack of familiarity with new technologies."
"Young people are better with tech" may have been a thing, for certain values of "tech", in the 70s and early 80s. Not since. It survives as a meme though since we are slow to change those.