Most of the people I talk to about Cybersecurity ask me where
I got my formal education from in it. I
tell people that everything that I know about Cyber is all self-taught and self-learned. My degrees were actually in Ag Econ, from Purdue
and SIUC, respectively.
This was more or less applied to economics, so I learned some
things about consumer behavior, and how they make their purchasing decisions, at
least on a theoretical level.
So far, my formal education has not intersected with the work
I do in Cybersecurity, even as a technical writer. But that is until today, where I came across
a very unique article that talks about a field called “Behavioral Economics”,
and how it closely parallels Cyber in three unique areas.
But first, you might be asking what is “Behavioral Economics”? Well, it can be defined as follows:
“Behavioral economics combines elements of economics and
psychology to understand how and why people behave the way they do in the real
world. It differs from neoclassical economics, which assumes that most people
have well-defined preferences and make well-informed, self-interested decisions
based on those preferences.”
(SOURCE: https://news.uchicago.edu/explainer/what-is-behavioral-economics)
Simply put, the economic theory that I was taught assumes
that humans make rational buying decisions, based upon the priorities in their needs,
and upon how much they can spend. But
Behavioral Economics takes an opposite stance to this, and makes the hypothesis
that humans buy and act on impulse, with no regards to their budget.
So now, here is how it comes into play with Cybersecurity,
as just mentioned:
1)
The Mental Accounting:
The economic argument here is that
people will value and spend money depending on the particular instance that
they are in. Take for example the
CISO. He/She could be sitting down with
their IT Security team today, and trying to forecast the budget for 2024. They could have run various Risk Assessment
models to substantiate the money they want.
Now, they present this to the C-Suite.
For some reason or another, the budget gets turned down on this basic
premise: “Why spend for something that
has happened yet. The Risk based scenarios
that you have presented to us are occurrences that might happen in the
future. So why give extra
money when nothing has happened in the present?”
2)
The Error In Thinking - The Sunk Cost Fallacy:
It is of course to try to forecast
what the future Cyber threat variants will could possibly look like, and for the
CISO to plan their defenses accordingly.
But in this regard, it is too human to stick to what has been forecasted
versus proactively being engaged as to what is happening today. Because of this, the reality of getting a
negative Return On Investment (ROI) becomes even harsher with the current projects
that are put in place to fend off the predicted threats, rather than the
real ones that are actually happening today. Therefore, CISOs need to be much more dynamic
in this aspect, and react to the sheer volume of frequency that Cyberattacks
are happening today. In fact, research
has shown that almost every 40 seconds now, there is a threat vector that is
being launched.
3)
The Issue of Availability Heuristics:
This area of Behavioral Economics
makes the theoretical assumption that people will react to a given situation,
rather than going back to the facts and the numbers of the reality at
hand. Here is an example of how it can
relate to Cyber: Assume that John Doe
receives an email, and assumes that it is safe because the sender is a known
contact, and the overall image of the email looks the same. As a result, no thought is ever given to if
this new email could be an actual Phishing based one. The chances are good that it could be, because
all the Cyberattacker has to do is hijack the contact book, and make the email
look like the real thing. This is an
area of Social Engineering that is being exploited to the maximum today by different
hacking groups. In other words, people
are so busy these days, they don’t take the time to smell the proverbial roses
and evaluate a particular action that they are about to take.
My Thoughts On This:
As much as people claim that they do research, rely on AI
and ML, and try to think rationally before they make a decision, take this only
at face value, at least when it comes to Cyber.
The bottom line is that emotions and past experiences do rule here when
reacting to something, such as a security breach.
More research needs to be done in this area, and perhaps
even be used in Security Awareness training programs as well to employees, stressing
the importance to think as logically as possible.
No comments:
Post a Comment