Presented at
Black Hat USA 2021,
Aug. 5, 2021, 11:20 a.m.
(40 minutes)
Most cybersecurity professionals acknowledge that achieving perfect security is impossible. Yet, they nobly strive for perfection as the ultimate goal and feel loss, failure, and regret when incidents inevitably occur. Human instinct, especially in reaction to crisis or catastrophe, is to react and respond forcefully and immediately.
In this session, we will talk about action bias and when immediate action is appropriate and when it is counterproductive. Behavioral science has demonstrated that action bias can lead to wasteful spending and suboptimal outcomes. We will describe how action bias impacts users, security professionals, and leaders. Users display action bias, such as demanding password resets and virus scans when they think they've been hacked, even when there is no evidence of it; a feature attackers exploit in phishing expeditions. CISOs and other security leaders exhibit action bias following a breach or attack when they act quickly based on a sense of urgency and a need for control, rather than applying deliberate analysis, even if the cost of proposed defenses outweighs the value or the loss. We present countermeasures to temper the occurrence and effects of action bias based on the findings of behavioral science.
While there is no cure for cognitive bias, tools such as "pre-flight" checklists and pre-mortems (as used in risk management) can mitigate the dangers of action bias. Using these tools, the cybersecurity community can evolve to address the two most dangerous words in cybersecurity — "never again" — uttered in desperation even when incidents reoccur. As a result, we can be rationally prepared to make unbiased decisions.
Presenters:
-
Douglas Hough
- Senior Associate, Johns Hopkins University Bloomberg School of Public Health
Dr. Douglas Hough is the Associate Director of the Master of Health Administration Program at the Johns Hopkins Bloomberg School of Public Health, Department of Health Policy and Management. He also holds a joint appointment in the Johns Hopkins Carey Business School, where he teaches economics to public health students, physicians, and other health care providers. Before joining the Carey Business School, where he was instrumental in the early development of the MPH/MBA program, Doug worked as a research economist at the American Medical Association, a manager in the health care consulting division of the former accounting firm Coopers & Lybrand, and a partner in two health care strategy consulting firms. Dr. Hough is also an author, his most recent book Irrationality in Health Care: What Behavioral Economics Reveals About What We Do and Why, looks at the state of American health care through the lens of behavioral economics and encourages patients, physicians, and policy makers to take a harder look at our actions and reactions so we can make better choices for our health and well-being. Doug earned an MS and PhD in Economics from the University of Wisconsin. His research interests are in identifying the optimal size and structure of a physician practice, and in the application of the emerging field of behavioral economics to contemporary health care issues.
-
Josiah Dykstra
- Technical Fellow, Cybersecurity Collaboration Center, National Security Agency
Dr. Josiah Dykstra is a subject matter expert in cybersecurity at the National Security Agency. He has spent the past 17 years as a practitioner and researcher in digital forensics, cloud computing, network security, penetration testing, and human factors. Josiah holds a PhD in computer science from the University of Maryland, Baltimore County. He is the author of one book and numerous research papers, and in 2017 he received the Presidential Early Career Award for Scientists and Engineers. He is a Distinguished Member and Distinguished Speaker of the Association for Computing Machinery (ACM), Fellow of the American Academy of Forensic Sciences (AAFS), and has spoken at Black Hat and RSA.
Links:
Similar Presentations: