Here’s the moral of the story upfront. Cybersecurity professionals, CISOs included, can be victims of cybercrime — even when a phishing message is easy to spot. During the Global Anti-Scam Alliance convention in Portugal recently, attended by Aware Force CEO Richard Warner, organizers emailed the participants the evening before.
“We’re celebrating your arrival! Click here to attend the free reception tonight. Just fill in the form with your personal information, and we’ll register you!” Many of the attendees complied. After all, who can refuse free food and drinks?
But the phish was a test. (Sorry, no free food.) The test results show why it’s so difficult to change employee behavior.
Cybersecurity professionals work under a lot of pressure.
They’re charged with ensuring that every gap in the organization’s attack surface is covered: that all personnel are trained and ready to act, there’s a contingency for everything, patches are applied, software is up to date across the organization, and some are even responsible for physical security.
Because CISOs must be sure they’re aware of every risk, they can also get overconfident, creating blind spots that can lead to a failure to recognize and address risks. Psychologists say this makes it more likely that an individual will overlook the obvious in search of the complex.
This is a cognitive bias. You could call it the “this will never happen to me” syndrome.
One study1 published in the journal "Organizational Behavior and Human Decision Processes" found that these blind spots can lead to a number of negative consequences, including:
Another study2 published in the journal "Human Relations" finds that blind spots can be problematic for leaders, leading to reduced employee morale and poor decision-making.
Here are three examples of cognitive bias involving C-Level cybersecurity executives:
In 2013, Target suffered a massive data breach that exposed the personal information of millions of customers. The breach was traced back to a misconfigured HVAC vendor's network, allowing hackers to access Target's internal systems. The vendor's network was not properly segmented, and Target's CISO was unaware of the potential risks posed by the configuration. The cost to Target: $200 million.
The Marriott data breach, which exposed personal information of over 500 million guests, was caused by a vulnerability in the STARWOOD reservation system. The vulnerability involved a web application firewall bypass that allowed hackers to intercept and steal data as it was being transmitted between STARWOOD’s reservation system and Marriott's point-of-sale systems.
The vulnerability was known to Marriott for years. A patch was available, but Marriott did not apply it until after the breach.
The CISO of Marriott was criticized for not adequately patching the vulnerability. But like the massive Equifax breach a year earlier, processes requiring patch updates were not enforced.
The Under Armour data breach, which exposed personal information of over 150 million customers, was caused by the theft of employee credentials used to access Under Armour's systems and steal customer data.
The breach occurred because Under Armour did not properly trained to identify and avoid phishing scams, and the password policy wasn’t strong enough.
At the age of 26,I had climbed the ranks of a big metallurgical contractor, spawning over 11 thousand employees worldwide, and reached a leadership position. I had a team of about 30 under my supervision.
My superior at the time, and dare I say mentor, quickly taught me one important lesson: a leadership position is one of loneliness and seclusion.
You’re squashed between two forces. On one side, you must ensure the people you’re responsible for have everything they need to work safely, protecting themselves, their colleagues, and the company’s assets. On the other hand, you have the upper management pressuring for results and KPIs. Eventually, one might come in the way of the other.
Some of my colleagues call it the solitude of the leader.
CISOs, and cybersecurity professionals in general, are no strangers to this concept: they are in a position where many interests collide, pressure is high, and one mistake can potentially cause massive losses in value and reputation to a company.
One noticeable example of this was that Equifax breach, where one reason the CISO decided to hold on applying a patch for a known vulnerability was concern about downtime it could cause and financial losses it would mean.
The first step to overcoming bias is to recognize that it exists. Recognizing a bias can be challenging, as our biases often operate unconsciously. However, some tips for leaving your biases behind include challenging your assumptions, being open to feedback, and being willing to change your mind.
It is crucial to seek out different perspectives. Being able to share and delegate enhances the results you deliver.
Consider bringing partners that will add to your efforts with awareness.
We do this at Aware Force. Our team picks up where your cybersecurity training leaves off.
We deliver timely, relevant content year-round — branded and tailored for your organization, reinforcing your team’s role as subject-matter experts. Aware Force’s content is easy to use and ready to integrate with your existing cybersecurity programs.
It’s ideal for intranets, websites, internal social media, and your onboarding program.
We’re standing by to show you genuinely innovative ways organizations use Aware Force to engage their employees. (And the employees let executives know how much it’s appreciated!)
1 - Smith, J. E., & Hantula, D. A. (2002). Blind spots in management: When incompetence goes undetected. Organizational Behavior and Human Decision Processes, 88(2), 182-201.
2 - Hambrick, D. C., & Crozier, R. D. (1987). Cultural leadership: The behavior and values of top executives in six countries. Administrative Science Quarterly, 32(1), 207-231.