Forcepoint X-Labs Reveals How Cognitive Bias Leads to Reasoning Errors in Cybersecurity

New whitepaper highlights how human bias can impact decision making and business outcomes, offering unique guidance on overcoming bias through human understanding combined with advanced behavioral analytics

  

Dubai – Forcepoint X-Labs, the world’s first dedicated research division to combine deep security expertise with behavioral science research, has released a whitepaper: “Thinking about Thinking – Exploring Bias in Cybersecurity with Insights from Cognitive Science”. Authored by psychologist Dr Margaret Cunningham, the whitepaper examines six universal unconscious human biases and explores how a deeper understanding of cognitive science plus the application of advanced analytics can improve decision making in cybersecurity - for both the end user and the industry.

Global cybersecurity leader Forcepoint launched the X-Labs division in March 2019 with the remit of using data insights from the entire Forcepoint product portfolio and external research to drive innovation in modern, risk-adaptive security solutions. Forcepoint examines a wide range of bias in humans as well as data-driven analytics, with a goal of creating more flexible and effective cloud-first cybersecurity solutions appropriate for today’s intricate landscape.

Six Human Biases Skewing Security Strategies

The whitepaper, part of Forcepoint’s series on cognitive science in cybersecurity, covers six analytical biases in-depth, exploring aggregate bias, anchoring bias, availability bias, confirmation bias, the framing effect and the fundamental attribution error.

“We are all subject to cognitive bias and reasoning errors, which could impact decisions and business outcomes in cybersecurity,” said Dr Cunningham, Principal Research Scientist at Forcepoint. “However, an exceptional human trait is that we are able to think about thinking, thus can recognise and address these biases. By taking a different approach and avoiding those instances where automatic thinking does damage, we can improve decision making,”

“We regularly see business leaders influenced by external factors”, adds Nicolas Fischbach, global CTO at Forcepoint. “For example, if the news headlines are full of the latest privacy breach executed by foreign hackers, with dire warnings regarding outside attacks, people leading security programs tend to skew cybersecurity strategy and activity against external threats.”

This is availability bias in action, where an individual high-profile breach could cause enterprises to ignore or downplay the threats posed by malware, poor patching processes or the data-handling behavior of employees. Relying on what’s top of mind is a common human decision-making tool, but can lead to faulty conclusions. 

Confirmation bias also unconsciously plagues security professionals. When individuals are exploring a theory for a particular problem, they are highly susceptible to confirming their beliefs by only searching and finding support for their hunch. For example, an experienced security analyst may “decide” what happened prior to investigating a data breach, assuming it was a malicious employee due to previous events. Expertise and experience, while valuable, can be a weakness if people regularly investigate incidents in a way which only supports their existing belief. 

It’s not my fault, it’s PEBKAC

One social and psychological bias that impacts nearly every aspect of human behavior is the fundamental attribution error. Security professionals have been known to use the acronym PEBKAC, which stands for “Problem Exists Between Keyboard and Chair”. In other words, they blame the user for the security incident. Security engineers are not solely impacted by this bias, as end-users also blame poorly designed security environments for any incidents, or refuse to recognize their own risky behaviors.

Coping with fundamental attribution errors, and the self-serving bias, is not easy and requires personal insight and empathy. For supervisors and leaders, acknowledging imperfections/failures can help create a more resilient and dynamic culture. For those designing complex software architectures, it should be recognised that not all users’ motivations will be as highly security-focused as the designers of a system. Users’ failures are not because they are “stupid”, but because they’re human.   

Overcoming Bias with Applied Insight

The Forcepoint X-Labs whitepaper aims to assist business leaders and cybersecurity professionals alike by improving their understanding of biases. In this way, it becomes easier to identify and mitigate the impact of flawed reasoning and decision-making conventions. The industry’s efforts to build harmony between the best characteristics of humans and the best characteristics of technology to tackle cybersecurity challenges depend on understanding and overcoming bias.

At Forcepoint, the X-Labs team is currently building a deep understanding of human behavior into its risk-adaptive security solutions, with an end goal of improving business processes and outcomes, reducing friction and enabling the business to thrive and succeed.

Forcepoint Dynamic Data Protection has human-centric behavior-analytics at its core, and helps security professionals to deal with cognitive bias. The product computes and continuously updates a behavioral risk score against a baseline of “normal” behavior of each end-user, wherever and however that user is accessing the corporate network.

Forcepoint’s intelligent systems, informed by the individual risk assessment, then apply a range of security countermeasures to address the identified risk based on an organization’s appetite for risk. For example, Forcepoint Dynamic Data Protection can allow and monitor data access, allow access but encrypt downloads, or fully block access to sensitive files depending on the context of individual interactions with corporate data and the resulting risk score.

“People tend to make mistakes when there is too much information, complex information, or information linked to probabilities. By pairing behavioral analytics with security countermeasures, we can decrease bias,” concludes Dr Cunningham.

Announced in March, the second product in Forcepoint’s risk-adaptive portfolio Dynamic Edge Protection, will enable enterprises to transform their network and security architectures with seamless network and cloud connectivity to take full advantage of cloud services in a secure manner.

Take Action to Address Bias: Questions for Cybersecurity Professionals

Forcepoint advises that security professionals and business leaders take a few moments to walk through the six biases described in the whitepaper and ask these questions:

  • Do you or your colleagues make assumptions about individuals, but use group characteristics to form your assumptions?
  • Have you ever been hung up on a forensic detail that you struggled to move away from to identify a new strategy for exploration?
  • Has the recent news cycle swayed your company’s perception of current risks?
  • When you run into the same problem, over and over again, do you slow down to think about other possible solutions or answers?
  • When offered new services and products, do you assess the risk (and your risk tolerance) in a balanced way? From multiple perspectives?
  • And finally, does your team take steps to recognize your own responsibility for errors or for engaging in risky behaviors, and give credit to others who may have made an error due to environmental factors?

About Forcepoint

Forcepoint is the global human-centric cybersecurity company transforming the digital enterprise by continuously adapting security response to the dynamic risk posed by individual users and machines. The Forcepoint Human Point system delivers Risk-Adaptive Protection to continuously ensure trusted use of data and systems. Based in Austin, Texas, Forcepoint protects the human point for thousands of enterprise and government customers in more than 150 countries. www.forcepoint.com 

© Press Release 2019

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.

More From Press Releases