Biases in Perceptions of Information Security Threats

As of March 2020, everyone was asked to work from home where possible. This current shift in situation presents not only technological but also human factor challenges for information security. Organizations will have to tailor their awareness campaigns and training to target issues specific to working from home, confronting new security-based obstacles that their employees and clients might be facing.

In order to maintain both personal and organizational security, individuals must perceive information security risks realistically. However, people’s judgments regarding information security risks are influenced by a wide range of cognitive biases.

Cognitive biases are inherent characteristics of human nature and are present in everyday life. Biases refer to a predisposition to think a certain way, and affect our subsequent decisions, judgments and behaviors.

These biases often arise when we interpret risk and make decisions, particularly in times of uncertainty. There is a plethora of cognitive biases that have impact and consequence on the way we perceive information security risks. Here I will discuss two cognitive biases: optimism bias, and fatalistic thinking.

Optimism bias and information security
Optimism bias is sometimes used interchangeably with ‘overconfidence’, and refers to the phenomenon whereby individuals believe they are less likely than others to experience a negative event. This particular bias is said to transcend age, race and gender.

For example, experts have demonstrated the presence of the optimism bias in the beginning of the COVID-19 crisis. Research has revealed that, at least at the start of the outbreak, people underestimated their own risk of becoming ill or passing on the virus.

Optimism bias has further been demonstrated in information security risk perceptions. There are many reports that individuals perceive their risk to information security attacks, such as phishing, to be lower than others.

A recent poll of 2000 remote workers revealed that 77% said that they weren’t worried about security while working at home. This also extends to organizational contexts, where individuals believe their own organization to be at relatively lower risk to information security threats than other competitor organizations.

Fatalistic thinking and information security Fatalistic thinking refers to an outlook where individuals may believe they have no power to influence risks personally, as risks are controlled by external forces. In information security, this might mean believing there is nothing you can personally do to prevent a phishing attack, because you’re going to fall victim to a phishing attack anyway. Or believing that everything is ‘hackable’ and so there’s little point in protection efforts.

This feeling may augment with home working, as employees are distanced from usual organizational support.

Why is this important?As seemingly opposite as fatalistic thinking and optimism bias sound, they both stem from misinterpretations of risk and can lead to similar behavioral consequences. Individuals can both be optimistic about their own risk and believe that they have no power to reduce the risk anyway.

In addition to resulting in incorrect perceptions, optimism bias and fatalistic thinking can lead to increased vulnerability. If individuals are optimistically biased regarding information security threats, they may not take the precautionary measures to reduce risks. Similarly, if individuals believe risks are dictated solely by external forces, this will also reduce precautionary action. Both these biases can therefore actually increase risk.

How might we reduce the increased risk biases pose?Although these biases are heavily engrained, all is not lost. Instead of seeing the human as the ‘problem’, empowering employees to be part of the solution to information security issues might be a way forward.

It may help to take a ‘human as a solution’ approach to information security. In information security, humans are often viewed as the biggest issue. Therefore, efforts are made to exclude and control them. This removes the opportunity for individuals to contribute to their organization’s cybersecurity.

It is really no surprise individuals demonstrate perceptual biases if they are made to feel like the weakest link. Instead, organizations should learn from and involve employees in information security.

For example, organizations could ask employees the information security risks and problems they might be experiencing, or envisage experiencing, when working from home.

Firstly, this could reduce fatalistic thinking by demonstrating how employees can play an active role in reducing information security risks. Secondly, this could reduce optimism bias through awareness of security issues and by learning from a positive attitude. Hence, learning from employees could increase overall security.

Understanding biases may also help organizations tailor information and training. Training people to understand and cope with the risk should be at the forefront. Especially in the case of fatalistic thinking, organizations might endeavor to remove fear appeals as a method for communication and increasing feelings of morale and employees’ abilities to cope with threats.

Summary Overall, cognitive biases such as unrealistic optimism and fatalistic thinking are present in our everyday lives and can have negative impacts for risk mitigation. However, cognitive biases are normal mechanisms in human thinking and viewing the human as a solution, rather than a problem, could perhaps in itself mitigate any risks biases pose.