Thread on cognitive biases in cybersecurity I've noticed:
Maginot Line: you got breached by an impersonation attack, so you go buy an anti-impersonation solution and assume you're much safer. Sort of like checking people's shoes at the airport.
Maginot Line: you got breached by an impersonation attack, so you go buy an anti-impersonation solution and assume you're much safer. Sort of like checking people's shoes at the airport.
Survivorship/reporting bias: You treat statistics on breaches that have been reported publicly as representative of the threat landscape, when the most successful breaches go undetected.
Just-world bias / moral luck bias: you believe org X's security failings are uniquely terrible because they got publicly breached, even while other orgs with similar postures (including yours) haven't been breached, simply due to luck.
Cheap signaling susceptibility: a security vendor has a great marketing/sales department but a terrible product. Due to lack of good benchmarks and measures of quality, you're biased towards buying their product purely on the basis of these signals.
Bandwagon effect: Everyone's buying X (partly due to survivorship bias in threat landscape reporting, Maginot Line bias, and cheap signaling susceptibility), so you're biased towards buying X.
Neglect of probability / neglect of realistic threat models: A threat researcher does a PoC of a virtuosic attack against thermostats at a conference. You have your team dedicate outsized energy to investigating IoT security at the cost of patching your desktops.
Base rate fallacy: You think because your memory scanning Yara rule got 1 false positive on your false positive test set of 500, you can go use your Yara rule to hunt for threats on your enterprise network, where it'll produce millions of false positives.
Simpson's paradox: a threat vector X is observed to fail more often in the field than threat vector Y, therefore it's less dangerous. When actually threat vector X tends to get used against harder targets, and is much more efficacious than Y when controlling for target hardness.
"Anecdote/grapevine bias": Lots of your friends in DFIR, security product development, and at conferences have been saying that mobile is the next major attack surface. You have no data (survey, telemetry, FBI, ...) showing this, but treat it as an operational fact.
