Understanding Action Bias in Cybersecurity 

In the book, “The Power of Moments,” the authors describe practicing as a way of preparing for possibly negative or confrontational moments, so people don’t react poorly. Why? “Practice quiets the anxiety that can cloud our mind in a tough moment. When we lack practice, our good intentions often falter,” write Chip Heath and Dan Heath.

That insight struck a chord when I read the book earlier this year, and it’s why I was excited when we booked Josiah Dykstra, Ph.D., the Director of Strategic Initiatives at Trail of Bits, for The Resilience Rundown podcast to discuss action bias and its impact on decision-making in cybersecurity incidents. 

Subscribe: Apple Podcasts | Spotify | YouTube

Understanding Action Bias

Action bias refers to the natural human inclination to take immediate action when faced with a threat or crisis. While this instinct can be helpful in certain situations, it also can lead to irrational decision-making and potentially worsen the problem at hand. In the context of cybersecurity, action bias can manifest in various ways, such as falling for phishing attacks that exploit the urgency to act or making hasty decisions during incident response.

Examples of Action Bias in Cybersecurity

One common example of action bias in cybersecurity is phishing incidents. Attackers often leverage urgency and fear to manipulate individuals into taking immediate action, such as clicking on malicious links or sharing sensitive information. Even cybersecurity professionals can fall victim to action bias, making impulsive decisions during a breach or incident response that may have unintended consequences.

When ‘Doing Nothing’ is a Good Thing

Dykstra discusses the concept of “doing nothing” as a strategic choice in certain cybersecurity situations. He uses the example of professional soccer goalkeepers in penalty shots to illustrate this point. Research has shown that goalkeepers who choose not to jump or make a move during a penalty shot have a higher chance of blocking the shot. This strategic decision may appear counterintuitive to spectators who expect the goalkeeper to take action, but it is based on careful analysis and preparation.

Mitigating the Negative Effects of Action Bias

To mitigate the negative effects of action bias in cybersecurity, organizations can adopt several strategies:

1. Preparation and rehearsal: Developing a comprehensive incident response plan and regularly rehearsing it can help teams respond effectively during a crisis. This preparation allows for strategic decision-making rather than impulsive reactions.

2. Patience and education: Recognizing that patience is a virtue in cybersecurity incidents is crucial. Educating stakeholders, including board members, shareholders, and executives, about the importance of strategic decision-making and the potential risks of hasty actions can help create a culture that values patience.

3. Slowing down: Slowing down does not mean delaying response time. Instead, it emphasizes the importance of conducting thorough preparation before an incident occurs. By investing time and effort into planning and training, organizations can ensure that their teams are equipped to make thoughtful decisions in real time.

Conclusion

Action bias is a common cognitive bias that affects decision-making in cybersecurity incidents. By understanding the potential pitfalls of impulsive actions and implementing strategies to mitigate action bias, organizations can improve their incident response capabilities and minimize the risk of exacerbating cybersecurity threats. To learn more about action bias and its impact on cybersecurity, listen to the full episode of the Resilience Rundown podcast featuring Josiah Dykstra. 

I highly recommend following Josiah on LinkedIn and consider reading his book, “Cybersecurity Myths and Misconceptions,” which delves into various biases and issues in the cybersecurity field.

More related posts

What You Can Learn From 1,000 IT and Security Leaders
backup-and-recovery

What You Can Learn From 1,000 IT and Security Leaders

Jul 1, 2024
View What You Can Learn From 1,000 IT and Security Leaders
Unveiling the 2024 Cyber Recovery Readiness Report
Cyber Resilience

Unveiling the 2024 Cyber Recovery Readiness Report

Jun 25, 2024
View Unveiling the 2024 Cyber Recovery Readiness Report