Secure by
⌘K
Home
Blog
aAbout
sSpeaking
cContact
nNewsletter
cCourses
bBook
Favorites
History
All Posts
News
Behavioral science
Risk Management
Compliance
Management
All Posts
News
Behavioral science
Risk Management
Compliance
Management
Mar 23, 2024
Under Risk Management & Behavioral science
236 views

Confident much?

confident

88% of Swedes believe they drive a car better than average. 90% of American lecturers believe they teach better than average, and 82% of French men think they're better lovers than average Frenchmen. Science has shown several times that we average people do not see ourselves as average but constantly overestimate ourselves and our abilities about others. We humans have an extreme bias called overconfidence bias. We believe that we are better and more rational than others. Therefore, we also tend to overestimate our abilities, time consumption, and possibilities for action, which can be dangerous.

Overconfidence and misjudgments can be unusually critical to Information Security. Therefore, this blog post is possibly one of the most important for those who work with hardcore information security.

For example, if you sit at the table when risk assessments are made, you can learn about overconfidence bias. Yes, your organization is just as likely to be hit by a hacker attack as your peers, but no, you are not necessarily better at handling the situation than everyone else would be!

Overconfidence is also a factor you must consider in your contingency plans. Think about how you can correct your plan for your immediate thought that you are “Oh so rational” and deliberate when you are in that situation.

Overconfidence bias is significant for those with security awareness; it is dangerous for yourself, your target groups, and your organization.
It contributes to you overestimating your ability to communicate, your workshop participants overestimating their abilities to avoid phishing emails, and your management overestimating your organization's security posture and not investing sufficiently.

It can also be dangerous and cause you to miss a vital threat scenario because “it won’t happen to us!” sets in when assessing probability and consequence in a risk evaluation. Looking back at what has happened for the last few years and nothing has been noticed can increase this feeling. Add to this the overconfidence bias, and you suddenly understand why working with risk management can be so hard.

And what does that do to the recipient’s ability to receive your message? They also have that “It’s not happening to me” attitude… Until it does.

Could you imagine a situation where your colleagues in the organization may overestimate their ability to recognize a phishing email, keep an eye on outsiders, and develop sound, complex passwords?
If everyone overestimates their ability to work safely and thinks, “I don’t have access to anything critical anyway,” maybe no one sees themselves as the target group. Then, you preach for the choir because the rest aren't listening.

Then how do you fight this hidden opponent?
Overconfidence bias is one of the hardest to counter when working with security. Both because it affects our colleagues and peers so significantly and mainly because it affects us.

An example of something often used is internal phishing campaigns. When people miss the hints and click the link, learning comes up. This is a clever way of overcoming the overconfidence bias because it is hard to argue that you were above average when you did miss the hints.
Even an overconfident mind has a hard time explaining that.
This solution also plays on another bias besides the overconfidence bias, as it provides feedback at just the right time. The learning that comes could be a very simple “Ooops, you clicked?” or a simple picture showing the phishing email with arrows pointing out what you should have been aware of.
Overall, it is a widely used and relatively effective way to draw attention to the phishing threat and an excellent attempt to help the target audience see their fallibility.

This approach helps you overcome overconfidence bias, but be very aware of the tone of voice and be carefull not to sound too cheary or overbearing. You can read more about why in  the post about mirror neuronsbut very briefly, the feeling of making mistakes and stupidity is probably not exactly the imprint you want to give your target audience?

Unfortunately, I have not found the golden solution to working with overconfidence bias about security awareness. However, regarding risk assessments and contingency plans, checklists and looking at previous incidents are a perfect bet for a start.

Regarding risk management, looking at your peers and relying on actual data is critical to overcoming the overconfidence bias. No organization is an island, and the chances that you are above average are small (If you disagree, then please re-read this blog post)

Mar 23, 2024
Under Risk Management & Behavioral science
236 views

Want to get information on new blogposts and offers on other brainy knowledge?

Sign up for the brainy newsletter !