The Danger of Action Bias: Is It Always Better to Act Quickly?

  /     /     /  
Publicated : 23/11/2024   Category : security


The Danger of Action Bias: Is It Always Better to Act Quickly?


Experts discuss the meaning of action bias and how it presents a threat to IT security leaders, practitioners, and users.



When a data breach hits, the best response is to act quickly and forcefully … right?
Not necessarily, experts say. The impulse for cybersecurity pros to have control over a situation is common — after all, you dont want to be the CISO who didnt act after learning about an attack — but hastily made decisions may do more harm than good or create a problem where one didnt exist.
Action bias, a subset of cognitive bias, describes the human tendency to favor action over inaction. This is the perceived urgency that tells you, Dont just stand there, do something! even when theres no evidence that action will be helpful. Cybersecurity practitioners, along with healthcare workers and air-traffic controllers, are among the professionals who face this bias on a regular basis.
There are a couple of reasons why action bias strikes, says Doug Hough, senior associate at the Johns Hopkins University Bloomberg School of Public Health. Sometimes the motivation is to show leadership or demonstrate value. Action bias also preempts second guessing. Perhaps you didnt do the right thing by acting, but at least you did something, as opposed to doing nothing.
In some cases, though, its better to take time in reacting to a situation rather than jumping in with both feet. Hough uses the example of a soccer goalie: Sometimes the best move for a goalie is to stand in the middle of a goal, not jump to one side or the other. What looks like inaction is a deliberate choice; the goalie is being strategic in waiting to see where the ball goes.
The same applies in the professional realm, where slowing down responses can lead to a better outcome. Sometimes its better to let issues and problems percolate a bit … and understand them enough, so that you can really attack the problems intelligently and efficiently, Hough explains.
Josiah Dykstra, technical fellow at the National Security Agencys Cybersecurity Collaboration Center, uses phishing as an example. An employee who receives a phishing email that demands they take action will feel compelled to act, whether that means clicking a malicious link or downloading an attackers attachment. The urgency they feel leads them to make the wrong choice.
When instead, if they slowed down and thought more carefully about what to do, they might not become a victim in the same way, he says. That impulse to get control shows up in all kinds of situations, whether we are users, cybersecurity defenders, or leaders.
Ransomware is one scenario in which these three groups act very differently, Dykstra continues. If an employees machine is infected with ransomware, their immediate reaction is to try and get their data back. They arent aware of the many security mechanisms put in place that were meant to stop this problem.
Defenders have a different view. They want to jump into action right away to figure out how this problem occurred so they can fix it. Those in security leadership have another reaction. From their perspective, the rational thing is to say, This can never happen again; we can never allow ransomware. Theyre willing to spend more money and allocate more budget to ensure there isnt a repeat attack.
From my perspective as a user or a cybersecurity defender, that seems kind of crazy; it seems like overkill, Dykstra says. But my view of the problem is quite different than the users or the executive leaderships.
The attitude of this can never happen again can make action bias worse, Hough adds. The business feels they have to do something — anything — to prevent another incident, and if/when that incident does happen, they feel the pressure to respond instantaneously. But without a process to address the situation, act fast could cause long-term damage to organizations and their employees.
Long-Term Effects & Proactive Steps
Just as it plays a role in responding to attacks, action bias plays a role in the stress, burnout, and mental fatigue affecting security practitioners, the experts say.
From a defenders perspective, the attacks never stop, says Dykstra. Organizations have set impossible goals, such as dont allow any bad things to happen, which puts continual pressure on employees to achieve goals that often cant be met. The buildup of these situations is contributing to stress that will continue to increase as the crises will never stop.
Hackers are incentivized to keep trying, he adds. They will keep coming over and over again, but we dont need to let that lead to burnout. We can help build resilience in the people, and resilience in the processes that we have in our organizations, so it isnt so stressful in those situations — they know what to do; theyve done it before.
Both Hough and Dykstra agree security teams can do more to prepare for attacks so the immediate reactive choices are more routine. Creating resilience in people and processes can lessen the stress when attacks hit and help employees, practitioners, and leaders act quickly with confidence.
They advise conducting tabletop exercises and red teaming to create and practice a routine for responding to an attack. Going through the exercise and building this process will help identify who must be in the room to solve certain problems, what everyones individual roles will be, and how they will work together to react to a crisis. The idea is not to sit still and let bad situations unfold but to give the situation forethought and prepare to respond more appropriately.
In a sense, youre developing a process, not an answer, Hough says. Its not that youll develop the answer when every single thing comes along, but you have a structure of how you should proceed, which would then enable you to avoid, or at least ameliorate, action bias.
Hough and Dykstra will discuss the effects of action bias, its effect on the cybersecurity industry, and how to address it in an upcoming Black Hat talk entitled
Action Bias and the Two Most Dangerous Words in Cybersecurity.


Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The Danger of Action Bias: Is It Always Better to Act Quickly?