“Thinking about thinking” is critical to cybersecurity
Thinking About Thinking: Exploring Bias in Cybersecurity with Insights from Cognitive ScienceRead the Report
Humans make a lot of decisions each day, whether we are aware of it or not. Research shows that people make approximately 200 decisions about food every single day*. Depending on how “decision” is defined, the daily number can creep into the tens of thousands. Although we may believe our decisions are rational, cognitive scientists argue that we are far less objective than we think. Cognitive biases shape our cybersecurity decisions from the keyboard to the boardroom, and these decisions ultimately determine the effectiveness of our cybersecurity solutions.
Seeing Isn’t Always Believing
Consider the following question**:
Jack is looking at Anne, but Anne is looking at George. Jack is married, but George is not. Is a married person looking at an unmarried person?
- Cannot be determined
Up to 80% of respondents select “C.”
The correct answer is actually “A.” It doesn’t matter whether Anne is married or not. If she is married, she is looking at an unmarried person, George. If she is not married, then Jack is looking at an unmarried person, Anne. The reason people often choose “C” is because Anne’s marital status is not provided in the question. In this example, people use a mental shortcut to link Anne’s missing information and “cannot be determined” rather than thinking through multiple options.
Taking mental shortcuts is not limited to tricky logic questions, we use shortcuts so frequently and effortlessly that we do not even realize we are doing it. However, humans are also capable of engaging in complex analytic thoughts and of solving extraordinarily difficult problems.
Dual Process Theory (For a full overview of Dual Processing Theory, heuristics, and bias, see the work of Daniel Kahneman) explains human thought by separating it into two modes:
- System 1 is aligned with human intuition. It is characterized by fast, effortless, and emotional thoughts that we unconsciously link with past experiences, thoughts, and patterns.
- System 2 is aligned with analytic and logical thought. It is characterized by effortful thinking and reasoning that we are typically aware of.
Whether we like (or realize) it or not, we spend the vast majority of our lives immersed in System 1 thinking. Our brains use System 1 to optimize the body’s energy—20% of which is going toward brain function. System 1 makes it possible to quickly and effortlessly complete many simple tasks we engage in throughout the day, such as tying shoes, locating sounds, or avoiding potholes while driving. If we had to depend completely on System 2 and engage in effortful, exact thinking for every decision we’re faced with throughout a day, we might never make it out of the front door in the morning.
Although System 1 allows us to function and conserve valuable brain power, it also creates problems. Our automatic thoughts frequently influence our decisions without our awareness, decisions that would be far better suited for a full System 2 analysis. These subconscious influences, or cognitive biases, are systematic departures from logic where rules of thumb supersede the facts at hand.
Decide to do Cybersecurity Better
Our daily cybersecurity decisions are influenced by our cognitive biases, and while we won’t ever completely escape bias, we can prepare ourselves to make better decisions by thinking about thinking. When we think about thinking, and build awareness of cognitive bias across our organizations, we can better identify situations where critical decisions are susceptible to the negative impacts of bias.
* Wasink, B. & Sobal, J. (2007). Mindless Eating: The 200 Daily Food Decisions We Overlook. Environment & Behavior, 39, 106-123
**Hector Levasque, as cited by Keith Stanovich, “Rational and Irrational Thought: The Thinking that IQ Tests Miss”
Learn more about negating the impact of specific cognitive biases impacting your company’s security decisions in our new report on using cognitive science to understand bias in cybersecurity.