Juin 13, 2019

Do you experience Decision Fatigue and Wishful Thinking? X-Labs at Infosec19

Carl Leonard Principal Security Analyst

The X-Labs team have just returned from a busy few days at Infosecurity Europe 2019.  This London-based annual conference hosts two talk tracks (Tech and Strategy), educational seminars, keynote talks and a plethora of vendor presentations.

Forcepoint X-Labs’ scientists and leaders were out in force as 15,000+ visitors descended on the conference hall for the 3 day event.

Forcepoint X-Labs’ Human Behavior Scientist, Dr. Margaret Cunningham, spoke of the challenges (and solutions) for making decisions relating to cybersecurity in her Strategy talk “Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on Information Security Decisions”.

Dr. Cunningham began by conducting a live poll of the audience to see how they would characterize their approach to password hygiene. Some attendees admitted to re-using passwords or only changing the password slightly upon expiration.

These, and other bad decisions, have basis in psychological concepts.  Why do we not change our passwords even though we know it is a bad idea to recycle?  Why do almost half of businesses not change their security strategy after an attack?

Motivated Reasoning + Decision Fatigue = Bad Decisions

Dr. Cunningham went on to explain Motivated Reasoning (aka Wishful Thinking) and Decision Fatigue and their role in our poor decisions.  Quite simply “Motivated Reasoning + Decision Fatigue = Bad Decisions”.  The positive outcomes for attendees were that they learnt how to recognise Decision Fatigue and how to respond to make better decisions at the right time for their security strategy, their SOC teams and themselves. There are proven methods to help us make better decisions. One method put forward by Dr. Cunningham was to be “choosy about choosing”.  We can limit the number of realistic options available to choose and train our “decision-making muscle” to get better at operating in our complex landscape.  This is something we at Forcepoint incorporate into our product’s Incident Risk Ranking dashboard, for example.  We provide our customers with the most pressing incidents of the day prioritised according to the risk presented to the business.

Making decisions that support existing ideas or beliefs is something that has a huge impact on our field – especially since most decision makers in our domain aren’t very familiar with dealing with human issues.  In theory, those decision makers could be ignoring “human” solutions because those solutions or data points don’t fit their mental model or understanding of risks and threats.  Dr. Cunningham argues that ignoring the “human” data or risk when reasoning about security solutions is a mistake (Wishful Thinking).  At Forcepoint we believe our solutions stand out as in that they do consider the broader context of security to help organizations such as yourselves move beyond traditional limited solutions.

Presentation now available

If you weren’t able to catch Dr. Cunningham’s talk we have a recording hosted on BrightTALK that you can watch at your leisure. The slides are also available on SlideShare.

If you were able to see our talk we thank you for taking an interest in our research and we hope you found it applicable to your daily decision-making both at home and in the office.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

À propos de Forcepoint

Forcepoint est une entreprise leader en cybersécurité pour la protection des utilisateurs et des données. Son objectif est de protéger les entreprises tout en stimulant la transformation et la croissance numériques. Nos solutions s’adaptent en temps réel à la façon dont les personnes interagissent avec les données, et offrent un accès sécurisé tout en permettant aux employés de créer de la valeur.