Cognitive bias: The risk from everyone in your organization, including you

Risks to enterprises are not only of the security breach variety from outside attackers, malicious insiders or even careless employees. Another comes from everybody in an organization even its most loyal, careful, capable members.

"Everybody has biases no one is immune, said Benjamin Brown, information security program manager at Akamai Technologies, in a presentation Tuesday at SOURCE Boston titled, Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT). OSINT, he said, is intelligence produced by publicly available information. OSINT is useful for numerous things, he said, including analysis of attack vectors and safety concerns, recognizing leaks and breaches, conducting privacy audits, understanding threat actors, gathering competitive intelligence and conducting due diligence when evaluating prospective hires, clients and partners. But that also means any bias in analyzing it matters a lot, he added, because it can lead to false conclusions that in some cases could unwittingly damage an organization and in others lead to unwarranted FUD (Fear, Uncertainty and Doubt)

Fortunately, there are ways to manage it, but that takes a willingness to admit that one is vulnerable to it which can sometimes be difficult. Brown said part of the problem is that people are naturally inclined to think others are more biased, and that they are less so. And, it is easy especially when using open-source resources such as search engines, social networks, e-commerce sites and mainstream media to get sucked in to seeking out evidence that supports an initial hypothesis while ignoring or discounting evidence that might challenge or undermine it. This is confirmation bias, he said, likening it to the Texas sharpshooter fallacy, in which a shooter fires a hail of bullets at the side of a barn, then goes up to the wall, finds the tightest grouping of bullets and then draws a bulls eye over it. That kind of bias tends to avoid or refuses to accept information that would support competing hypotheses. Another he called the echo effect, where a hypothesis is picked up and repeated, to the point where the original source of it is obscured and it becomes an exercise in groupthink rather than rigorous, objective analysis. Another problem is that all open sources are not equally credible. The quality of open-source intelligence is highly variable, he said. What to do? Be skeptical, especially of yourself, Brown said, adding that vendors particularly need to be aware of possible conflicts of interest in their assumptions. Beware the belief that your bias is actually insight, he said. Ask yourself: What do I think I know, how do I think I know it, and when would it be false? he said, adding that when you dont know what you dont know, you have a bias problem. Brown said the way to eliminate as much bias as possible from an evaluation is to define the problem, identify all possible hypotheses, collect information and evaluate the hypotheses. In the evaluation process, he said it is important to take a contrarian, devils advocate view of each hypothesis even those seen as most likely to be correct check all assumptions and their origins and also consult peers and outside experts, who might notice things you, or your team, are missing. Finally, he recommended choosing the hypothesis that has, the least evidence against it, to keep conclusions tentative while continuing to collect data and forming alternate hypotheses and to consider your organizations goals and customers along its costs in time and personnel. And, if you want your conclusions to have some credibility, show your methodology, he said, noting that too many reports, on everything from the APTs to DDoS attacks and more, issue sensational conclusions, with no methodology shown on how they reached them.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssoftwaredata protection

More about Akamai TechnologiesAkamai Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts