Action Bias and the Two Most Dangerous Words in Cybersecurity

Conference:  BlackHat USA 2021



Most cybersecurity professionals acknowledge that achieving perfect security is impossible. Yet, they nobly strive for perfection as the ultimate goal and feel loss, failure, and regret when incidents inevitably occur. Human instinct, especially in reaction to crisis or catastrophe, is to react and respond forcefully and immediately. In this session, we will talk about action bias and when immediate action is appropriate and when it is counterproductive. Behavioral science has demonstrated that action bias can lead to wasteful spending and suboptimal outcomes. We will describe how action bias impacts users, security professionals, and leaders. Users display action bias, such as demanding password resets and virus scans when they think they've been hacked, even when there is no evidence of it; a feature attackers exploit in phishing expeditions. CISOs and other security leaders exhibit action bias following a breach or attack when they act quickly based on a sense of urgency and a need for control, rather than applying deliberate analysis, even if the cost of proposed defenses outweighs the value or the loss. We present countermeasures to temper the occurrence and effects of action bias based on the findings of behavioral science. While there is no cure for cognitive bias, tools such as "pre-flight" checklists and pre-mortems (as used in risk management) can mitigate the dangers of action bias. Using these tools, the cybersecurity community can evolve to address the two most dangerous words in cybersecurity — "never again" — uttered in desperation even when incidents reoccur. As a result, we can be rationally prepared to make unbiased decisions.