Today, corporations suffer from a case of insufficient attention to new sources of competition, new growth products, market pace, digital investments, and/or AI etc. until it is usually too late to give attention. Some Business strategists and Risk professionals call this disconnect between the warranted response and the actual response a “confidence bubble.”
Like any other line of business, Cyber Security is not left out, regardless of the popularity, media show and the loose parade of the term these days.
Anatomy of a Confidence Bubble; Application Security Perspective (SAP Security/ Open Source Software)
What can make so many stakeholders across so many industries respond inadequately to Application security threats? The term “confidence bubble” can imply emotional misapprehension — excess confidence bordering on arrogance. But given the ubiquity of the phenomenon, perhaps an explanation may more likely be found in human nature than in the particular personalities of contributors, managers, and executives. Here are just some of the forces that may be creating blind spots in your organization:
Misaligned Incentives. The incentives within an organization may disfavor identifying and reporting threats. For instance, if the organization offers incentives for shipping product on time, individual contributors may feel pressured to hold back information that will result in missing delivery deadlines. Similarly, if the leadership of an organization is especially vocal about cost control, a contributor may fail to escalate a threat that would require additional expenditure to mitigate.
Addressing a threat early could be far less costly to the organization than addressing it after the damage is done. But in the latter case, the blame is diluted over the entire organization.
In the case of escalation by a subordinate, the subordinate is likely to shoulder a disproportionate amount of the blame. No one wants to be the messenger who gets shot.
Automation Bias. People have a documented tendency to believe machines and automatic decision aids and ignore or underutilize outside information, even if it is contradictory and correct. But automation and information systems can only consume information they are programmed to consume. They can render their user oblivious to outside threats. For example, IT personnel of a company can have a dashboard aggregating data from virus scanners, network traffic analysis, authentication system logs, and other sources.
But if that dashboard fails to include the measurement of another attack vector, such as application component vulnerabilities, then its users will have a high degree of confidence that does NOT correspond to their actual exposure.
Similarly, business intelligence systems and dashboards used to make and support management decisions are, by their very nature, backward‑looking. They provide analysis and inference based only on past data. Because these systems are reactive rather than proactive, instinctive over-reliance on them can create blind spots when anticipating future threats.
Cognitive Dissonance. People have a bias toward avoiding information that contradicts their previously established beliefs. So even if threat information enters a stakeholder’s field of awareness despite the aforementioned obstacles, that stakeholder may be more likely to find an “excuse” to dismiss it rather than to change his/her beliefs.
Burst Your Confidence Bubble – Don’t Get Blindsided
Confidence bubbles need to be cured and prevented proactively. Here are a few questions leaders at every level should frequently ask:
- Have I communicated recently and frequently that I want to hear bad news as soon as possible? Is everyone on my team aware that I will thank, not blame, the messenger? Have I demonstrated to my team that I am eager to constructively address problems once brought to my attention?
- What are my current tools and metrics not telling me? What are the threat vectors that we are not currently considering and measuring? How can we measure them?
- What are my current beliefs about our threat readiness? What concrete steps will I take when presented with information that contradicts those beliefs?
We can help you with a cyber readiness assessment/App Security check (SAP/PeopleSoft/Open Source Software) @DeltaGRiC
Mod version of Why People and Businesses Get Blindsided by Threats