Cognitive Biases In Cyber Decision-Making

As the number of advanced persistent threat (APT) incidents grows, incident response and threat monitoring becomes increasingly important. However, while organizations like SANS and ISO have made efforts to standardize the incident response process, the facts that nearly 50 % of victims learn of breaches through third party last year and that the median dwell time of attackers inside networks is 99 days demonstrate that incident response still shows poor outcomes. This paper aims at improving the incident response process by studying how cognitive biases can affect decision-making in the cyber realm. Notably, we will discuss how the base rate fallacy leads to a higher rate of false positives assertions. We will show how, in turn, this high number of false positives can cause a confirmation bias, reinforced by incentives to avoid thoroughly investigating leads. Finally, we will discuss hindsight bias, which can further taint the effectiveness of the incident analysis process, especially when results are difficult to observe. This paper argues that these cognitive biases negatively influence the performance of cyber incident response in a manner that is similar to how they have affected the performance of intelligence analysis in the past. As such, the paper proposes the adoption of solutions that emerged from the intelligence sector to address these problems, in particular the use of contrarian analysis techniques and structured analysis techniques. In exploring contrarian analysis techniques, we discuss the devil's advocate process, in which another analyst must argue the opposite view with the same evidence, and show how it can combat these biases. For structured analysis techniques, we discuss the competing hypothesis technique, in which the analyst must attempt to refute his own hypothesis, which is only confirmed if he fails to refute it. We discuss how such structured analysis can, not only combat cognitive biases, but also guide further investigations by identifying evidence that would unequivocally disprove hypotheses. The paper will also point out how rearranging incentives can promote the detection of threats. This will be illustrated by discussing the current trend to staff so-called threat hunting positions, which biases toward acknowledging the presence of threats, and whose performance are evaluated based on the numbers of threats they find rather than on the absence of observable incidents.