Speakers
Synopsis
Could bias be the downfall of your security program? While we all focus on people, process and technology when building a security program, we so often overlook the most foundational principle – sound decision-making. Conscious and unconscious bias is an inescapable component of human reasoning – however awareness and a few handy tools can go a long way in helping us manage bias, build stronger teams, and make better decisions.
In the earlier days of human evolution, bias served as a critical tool for survival, allowing us to quickly make judgements and assessment of situations. It allowed us to differentiate between safe and unsafe situations—such as whether to flee from a lion or pursue a rabbit. Fast forward to the cyber security threat environment, our biggest perceived risks are the adversaries on the other side of the screen. This has led us to invest in advanced technologies and stringent protocols to guard against these threats. Amid this technical rigor and pursuit to build our defences, we often overlook a critical factor integral to every process: decision making.
This talk will first focus on the ubiquitous nature of decision making in cyber security. From threat assessment to resource allocation, we make crucial decisions continuously. Yet, we are inundated with vast amounts of data, much of which is incomplete or ambiguous. The flooding of information compels us to fill in the gaps with assumptions that are inevitably coloured by our own biases and cognitive shortcuts known as heuristics, hindering our ability to make decisions grounded in logical reasoning.
This talk will then delve into the various types of cognitive biases that infiltrate our cyber security strategies. We’ll explore how the availability heuristic causes us to overestimate the likelihood of recent or memorable threats, while underestimating more significant but less vivid risks. We’ll examine how confirmation biases can lead us to favour information that supports our pre-existing beliefs, causing us to overlook critical vulnerabilities. As well as survivorship bias, which can cause us to design security programs based on what’s alerted from the SOC, neglecting the opportunities to address gaps in logging and monitoring systems.
By highlighting real-world examples and case studies, this talk will illustrate the tangible impacts of these biases on cybersecurity outcomes. From flawed risk assessments and inadequate incident responses to misallocated resources and misguided investment priorities, the consequences of bias are far-reaching and costly.
The talk will conclude with strategies to mitigate the influence of biases, exploring tools to identify and manage biases, such as structured analytical techniques and the importance of creating a diverse team in terms of skill and lived in experiences. It's crucial to understand that biases can be inherently useful in decision making, and so, by the end of this talk, we aim to reveal how the primal instincts of our ancestors, which once guided them through life-and-death decisions, can be better utilised to help us navigate the sophisticated cyber battles of today and the future.
