Why are we so hard to convince?

Do you recognize the feeling that you get an idea, and suddenly all your SoMe and news channels are filled with that subject? It was never there before, and suddenly, it shows up when you begin feeling an interest in the matter.

Even though you know about AI and the impressive algorithms running your SoME, you can get quite superstitious, having to check whether Siri is shut off and asking friends whether you are becoming paranoid.

Well, you are correct, but it’s just not the algorithm of the system messing with you; it is the algorithms of your brain.
First of all, your availability bias makes you notice things that are more present, and then your confirmation bias makes you see the things confirming what you already suspect to be true.

An example is that your political preference determines the arguments you find compelling. If your emotional attitude to such things as irradicated food, red meat, and nuclear power, your confirmation bias drives your beliefs about the benefits and risks of these things. Conversely, if you dislike these things, you probably believe that their risks are high and their benefits and joy aren’t worth it.

If you have kids or know someone who does, another example is the myth of the sugar craze.
Time and time again, we have heard about kids getting crazy and acting wild when they have had too much sugary stuff.
If I now tell you that this is, in fact, proven time and time again not to be the case, your brain probably makes you say, “No way,” or “I actually have kids who prove you wrong!”
This is what the parents of kids participating in a study did. They reported their kids acting out after a party when told they had lots of sugar even though they had none. The parents were expecting the sugar to be high and observing the kids notice the behavior as such, even though it was no different than usual.

Confirmation bias is our subconscious brains’ “go-to algorithm” for filtering irrelevant information. Remember those 40 bits of information being processed per second by the conscious brain? This means that a lot of information must be filtered out and that what passes the filters must be of value for us to spend our energy on it. It doesn't get through if it doesn’t fit into our mold. This is why changing someone else's mind can sometimes be challenging, even though you have all the correct arguments. Their subconscious brain lets it slip into the filter.

This is the reason you can experience something together with another person and then remember the situation from two different perspectives. For example, watching a soccer game with someone from the opponents who remembers all the important situations differently from you.

To sum it up, there are 4 ways your confirmation bias messes with you:

1. Make you not seeking out the objective facts
2. Interprets information to support your existing beliefs
3. Only remembering details that withhold your existing beliefs
4. Ignores information that goes against your existing beliefs
   

So, how does this affect us when looking through the information security lens?

First of all, it is easy to understand how confirmation bias may help us notice the most present security incidents, filling our news and OSCINT tools.
Thinking about the WYSANTI effect (What You See Is All There Is – More on this in a soon to be ready blog ) this could potentially cause cracks in your attack surface, because you simply forget or underprioritize the incidents which are not as present in your awareness as the highlighted ones.

It is easy to see the newest Zero-day and forget the general need for housekeeping. Still, statistics show that those hit by a cyber attack are often struck by an old vulnerability being exploited, which could have been fixed ages ago.

When you work with risk reporting, it can be really hard to persuade your peers about the likelihood of a risk occurring if they believe your protection to be sufficient. Their availability bias will simply tell them there is nothing to worry about, and their confirmation bias will underline it.

This is the same regarding your colleagues' risk perception when you work with security awareness.
If you never disclose your organization's attacks or security incidents, they will believe nothing happened and act accordingly. Their subconscious brains won’t spend energy worrying if their availability bias supports their belief.

Here are a few examples of how to overcome this:

• Use reports such as Verizon’s breach reports and other statistics to ensure you understand incidents occurring in organizations like yours. Use this knowledge as your reference class when creating your risk register and updating your likelihood estimates.
• Have open communication on the security incidents happening, as this will help your colleagues in the organization's risk perception.

• Use your knowledge of availability and confirmation bias, and make sure to frequently create posts or messages on security matters to keep them present in your colleagues’ subconscious brains.
• When prioritizing your security awareness efforts, first prioritize those peers who already believe in the danger or risk.
  Those who don’t believe in the risks will be very hard to convince as their brains only notice the data supporting their beliefs.