Understanding Theories and Biases to Better Inform Security Decisions

Written by

When security departments are working to get company buy-in for their tools and compliance investments, they often need all the help they can get. Preparing a security vision and garnering support from other departments in the company requires cross-functional collaboration, and a compelling business case for security investment is critical for a security department’s success.

Fortunately, there are a variety of risk management techniques and theories that can be evaluated to better inform and explain security decisions. 

Understanding these theories is a valuable way to develop a strong business case with legitimate data, ensure proper utilization of security tooling and reduce risk to a company’s bottom line. 

Loss Aversion Theory

The security function is no stranger to loss aversion theory. Here, we learn that the pain of losing something is much more significant and palpable than the idea of gaining something. In business, a company is more worried about loss than gains – put simply, we hate losing more than we love winning. 

This is one of the most utilized theories in the risk management domain – and for good reason. Employing this theory is an effective way to present data that will obtain support for security investment. Showing that there is the possibility, in real dollar amounts, that a security threat could negatively impact the business and cause financial loss is a compelling technique when a security department needs support for new initiatives or controls.

When preparing to ask for a financial investment, review security incident and data breach statistics (the annual Verizon Data Breach Investigations Report or the IBM Cost of a Data Breach overview are useful resources.) 

Identify the negative impact to the bottom line for your organization by pulling data points regarding security threats that have impacted businesses similar to yours. Present this information to explain the risk to company operations if an incident occurs.

Normalcy Bias

Much of our time as security professionals is spent preparing for cyber incidents that have yet to happen. It can be difficult to articulate the business value of new hires or security investments when a risk, such as a significant data breach, has not come to fruition for an organization. 

Obtaining buy-in for security initiatives can often be an uphill battle, as security departments are requesting resources (both financial and human capital) for business risks that are often seen as ‘possibilities’ and not legitimate events that will occur down the road. 

Normalcy bias is often at play here because organizations will refuse to plan for a disaster or incident that has not yet occurred. Many businesses will suffer real security risks and be impacted critically by data breaches when they fall victim to normalcy bias. This form of cognitive dissonance means that an organization does not attempt to get ahead of a disaster, relative to security or compliance by making necessary investments or creating contingency plans. It is much easier for many businesses, especially those with significant red tape, to focus on the status quo only and not invest in security resources for a disaster that they cannot absolutely know will happen.

As security professionals, we know this line of thinking is dangerous as effective risk analysis takes into consideration the threats that may occur and not only the ones that are present at this very moment. If we allow an organization to fall victim to normalcy bias, we are doing the organization a disservice and not fulfilling our security obligations to protect data or to secure the services provided to paying customers.

An actionable way to avoid normalcy bias and obtain support for security investments is to provide the organization with real-world statistics of security incidents or data breaches that have occurred to your competitors or organizations in the same vertical you operate in. Come to the table with data when looking for security investments from your leadership team. Though the threat may not be impacting your organization just yet, we can avoid normalcy bias by doing due diligence ahead of financial conversations and coming prepared with data to indicate that security incidents are a genuine probability that must be prepared for.

Parkinson’s Law of Triviality 

With the high amount of alerts and the prevalence of false positives identified by scanning tools or by penetration tests, it is easy to get distracted by security issues that are low risk. Often, security professionals give excessive weight to vulnerabilities or environmental threats that are trivial in nature. This is known as Parkinson’s law and runs rampant in the security industry – simply because there are continually many new and emerging risks. 

An actionable way to avoid this law is to focus on maintaining only a small number of security tools. It can be easy to feel motivated to purchase many new scanners or alert detection programs, but instead, focusing on appropriately tuning and reducing noise in tools you already own is an effective way to avoid this law.

Pro-Innovation Bias

When you subscribe to security newsletters or cyber information outlets, it can appear that new security tools are becoming available on what feels like an hourly basis. Innovation in the security and compliance landscape is key, though it can often distract from taking real action to reduce threats. 

Pro-innovation bias occurs when a security team feels strong optimism and excitement about new and emerging security tools. This leads to the purchase of several new programs and subscriptions, which leads a security team to be overwhelmed by the amount of installation and integration required to utilize said tools effectively. 

As a result, pro-innovation bias leads to no reduced risk but just a higher operating cost for a business. 

Avoiding pro-innovation bias – again – can be solved by simply relying on tools already in your portfolio. Ensuring that these pre-existing security controls are already operating correctly is the most effective way to reduce security risk in your business.

When you are constantly chasing and purchasing new tools, you rarely take concrete action to limit the amount of threats infiltrating your organization. 

That is not to say it isn’t useful to purchase new security tooling. However, if a business constantly pursues new platforms and third-party offerings, little time is spent mitigating vulnerabilities.

Security is a critical function in business that often does not get the attention or investment it deserves. Leveraging theories that impact every business unit, including loss aversion and Parkinson’s law, is a compelling way to demonstrate the potential repercussions of a data breach or security incident to better structure and ultimately mature your security and compliance arm.

What’s hot on Infosecurity Magazine?