Risky Business: Miscalculating Cyber Threats
Human beings are an amazingly resilient species. I’m not speaking merely of our collective abilities in building and growing productive civilizations the world over. I’m referring to a much more important, even if less understood, characteristic—that of our ability to deceive ourselves.
I realize that statement is loaded with controversy, if not confusion, so allow me to explain. Psychology has explored the most essential element that separates mankind from every other species on the planet—that of our ability to reason. Our mind dictates how we see the world around us and drives our behavior, no matter how deliberate or unconscious it may be.
And so, when considering how our brain processes risk, such as that rampant in the world of cybersecurity, the mind that governs every action we take is significantly impaired by its own limitations. We can thank psychologists for their contributions in helping us understand the seemingly unthinkable. The field has identified several ways we fundamentally get risk wrong. Whether it’s our tendency to underestimate threats that creep up on us (such as the daily grind of poor eating habits that contribute to a lifetime of disease complications), our propensity to substitute one risk for another (such as speeding up once we click our seatbelt), or the seductive illusion of control (where we will readily text and drive but excoriate others for doing the same), the human brain is amazingly resilient in revealing what we want to see—even if in stark contrast to actual reality.
The implications to cybersecurity are palpable. Employees readily justify risky behavior, such as clicking on unknown links or emails, if not dismissing their own judgment in questioning that which is suspicious. Cybersecurity professionals believe they are best equipped to handle the next threat, rather than relying on a third party with presumably more experience for the same. The slow drip, drip, drip of breaches that litter headlines creates an insidious perception that we are somehow immune to the next one—all the while the risk continues to creep up on us.
Consider some of the more sobering facts. According to Intel Security primary research of American consumers, 71% of those aged 18-34 believe their data is more secure today than it was a year ago. This isn’t merely a generational issue. Some 65% of those aged 35-54 agree. This, despite the fact that the number of threats in our virtual world continues to exponentially multiply. Not convinced? Ten years ago, McAfee Labs observed 25 new threats per day entering the landscape; today, that figure had exploded to more than 400,000 new threats—per day!
Muddying the waters further, it’s not as though consumers don’t believe the threatscape is more dangerous—even overestimating the number of annual data breaches in the U.S.—all while also overestimating their own capabilities in defending themselves against such clear and present risks. The powerful psychological concoction that ensues provides threat actors the world over with self-deceived consumers (and, yes, cybersecurity professionals) who might as well hang a virtual shingle on their public profile or company website with the simple message, “Your Next Victim Here.”
Take heart. There’s an answer to this problem. We’re not likely to uproot millennia of psychology evolution that have programmed our brains toward self-deceit. But, such propensities can be remediated, if not balanced, with an open and constructive dialogue about our tendency to miscalculate risk entirely. When we do, we can remove at least a few bullets, if not an entire weapon category, from the enemy’s arsenal.
Learn more about cybersecurity risk perceptions in the new book, “The Second Economy: The Race for Trust, Treasure and Time in the Cybersecurity War.”