×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work

by CEO on Jul 22, 2013

  • 141 views

However, what’s interesting is that the CISOs we spoke with say neither of these approaches ...

However, what’s interesting is that the CISOs we spoke with say neither of these approaches
effectively solves the problem. Quantitative risk analysis isn’t the end all, be all. Just because a
risk is scored at 98 out of 100 doesn’t mean it will be remediated. Besides cost, the business
significantly influences the decision of whether to spend money. And most surprising to us, in
the end, many CISOs told us they ignore all their own data, vendor input and pundit whitepapers
and made a gut decision.

Let’s be clear: Gut decisions are not useful. Very often they’re based on a confirmation bias, also
called confirmatory or “my side” bias. That’s the tendency for people to favor information that
confirms their preconceptions or hypotheses, regardless of whether the information is true. If
you have a confirmation bias that laptop theft is the largest concern, whether it is or not, you
will find a way to get disk encryption to be the highest-priority project.

Avoiding confirmation bias can be difficult. The first step is to realize that we’re all prone to it.
If you have a tendency to collect a lot of information and then ignore it, or always find yourself
debating the rest of the organization on which threats are most imminent, you may be more
susceptible than average. Try this exercise: Ask your peers to honestly assess whether they think you frequently make decisions based on gut instinct. Listen to what they say, and understand
that it’s almost impossible to build trust with an information source—such as your risk
assessment team—if you have this tendency.

Statistics

Views

Total Views
141
Views on SlideShare
141
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
Post Comment
Edit your comment

Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work Presentation Transcript