Cognitive bias is a fundamental flaw that exists in every one of us. Put simply, it means we have preconceived notions about the world around us based on emotional responses and past experiences. These notions stem from evolutionary traits that helped to keep our ancestors safe from nibbling on a potentially poisonous berry or from going near that cave with the sabretooth tiger. However, in more recent times these preconceptions help to shape our opinions. They allow the brain to take mental shortcuts to speed up decision processing, which can, amongst other things, allow us to be deceived. The human brain is incredibly complex, and even still we do not fully understand it, but what we do know is that without the understanding of what cognitive bias is and how it can impact your business, you too could fall victim to a clever cyber criminal.
Cognitive bias is something that hackers often exploit to craft their nefarious campaigns. In many instances, threat actors utilise and harness misinformation to enhance these biases in their potential targets. Knowing how someone will react before they do allows many cyber criminals to successfully infiltrate organisations and exfiltrate data. It is this very notion that makes tactics such as phishing and social engineering so successful. However, by gaining a better understanding of cognitive bias, CISOs, security teams and consumers can use this intelligence to shape their security postures and actually improve security awareness culture within their organisations.
How to empower your chief information security officer (CISO)
Common cognitive biases and their potential impact
Cognitive errors play a major role in behavioural finance theory, but their real world application has been used by fraudsters and cyber criminals for decades. Here are some of the most relevant cognitive biases in effect, and how they could impact you.
Confirmation Bias – This is one of the most common iterations of cognitive bias, whereby individuals will look to find information that confirms their pre-existing ideas. This form of bias has become all the more pertinent in the age of social media ‘filter bubbles’ whereby users surround themselves only with individuals that they agree with. This not only presents a challenging ethical issue in the world of fake news and disinformation, but can also allow a criminal the opportunity to steal money or trade secrets. In the Twitter hack instance, many unsuspecting users trusted unauthorised Tweets from verified accounts because they seemed to conform to their already existing conceptions of the business or CEO. Unfortunately, this type of bias may prevent individuals from looking at situations objectively, recognising a potential threat and stopping it before it has a real impact simply because many do not want to accept that their preconceptions are wrong.
Herd Mentality Bias – Herd mentality bias is when individuals follow what their peers are doing, assuming it is safe, or sensible to do so. Rather than taking an objective stance, individuals may follow their emotions and the momentum of the crowd. If a colleague sends a link to a work group chat and everyone is reacting to it, your fear of missing out may overcome your cyber security awareness training, and you might click on the link for a quick laugh. Deep down, we know that we shouldn’t click on random links, but the fact that your colleagues did it means that you’re the odd one out for not taking part.
Framing Bias – Framing is one of the most commonly exploited vectors in business email compromise (BEC) scams. Framing is when an individual makes a decision because of the way information is presented, rather than examining the facts. If you received an email from your CEO who has an “urgent task for you”, your fear of getting fired may supersede analytical thinking. In this instance, a cyber criminal has framed this scam in such a way that you may not properly question it.
Narrative Fallacy – Similar to framing bias, narrative fallacy is a mainstay in a cyber criminal’s arsenal. Narrative fallacy bias occurs when we find it easier to understand a story, even if the outcome will be less desirable. This is a bias that is commonly used on the phone. Social engineering experts know exactly how to frame a story to pressure you to make predetermined choices. This can include playing the sound of a crying baby in the background to guilt individuals to conform to their wishes.
Cyber criminals are targeting the cloud — here’s how to defend against them
Understanding cognitive bias and using security awareness to cultivate a culture of trust
Notably, Princeton psychologist Emily Pronin noted that “individuals see the existence and operation of cognitive and motivational biases much more in others than in themselves.” Indeed, failing to recognise cognitive bias is a bias in itself, so let this be a lesson in self-reflection. Understanding that bias is a commonplace factor in daily life is the first step to overcoming it. The greatest weapon in the fight against cognitive bias, in business, on social media and specifically in cyber security, is observation and critical thought. Do not let your preconceptions, or what you would want to occur, cloud your judgement in the moment. This stoicism will not only help you in your daily life but acts as the first line of defence against cyber criminals.
The best way to imbue employees with the tools needed to succeed in an increasingly digitalised world is education. By equipping individuals with the tools and knowledge to combat their own bias, you can protect business operation, employee morale and foster a culture of trust. An individual will only be able to avoid cognitive bias by knowing the inherent truth of the matter. This is not a lesson in punishment — everyone is vulnerable to cognitive bias — this is instead a lesson in awareness and trust. If you are confident that your team is doing everything in their power to limit the impact of cyber criminals by checking their own bias, then you can sleep soundly at night. After all, your employees are the first line of defence against a determined cyber criminal.