Why Action Bias Is Damaging Your Cyber Security Response (And How To Fix it)

When disaster strikes, the natural reaction is to spring into action, attempting to remedy and fix exactly what’s gone wrong. While speed can be a useful aspect when it comes to cyber security, this knee-jerk reaction can also cause more harm than good, especially if hackers and data breaches are involved.

Researcher Douglas Hough from John Hopkins University and Josiah Dykstra from the National Security Agency came together to explore the effects of action bias in the world of cyber security. Their results exposed the fact that, although action bias is a common response, in many circumstances, action is the wrong course to take

In this article, we’ll be exploring the world of action bias, demonstrating exactly how it comes into cyber security, the negative impacts, and how you can create a better response culture in your business. 

Let’s get right into it!

What is Action Bias?

Action bias is a human tendency that launches people into action. Instead of inactivity, humans prefer to do something, often launching into a response even if there is little evidence of what that response should be or if it will be effective. 

While this is a cognitive bias, it’s most commonly associated with career fields in which a rapid response might not always be the best approach. From cybersecurity professionals to doctors and even fight controllers, there are a range of fields where action bias is a daily occurrence. 

Rapid responses can work fantastically and keep things running smoothly. Equally, if the response is ill-founded, then a moment of second-guessing could have prevented an even larger disaster from occurring. While the field of medicine pretty much always needs a fast response, the world of cybersecurity luckily has room for thinking before acting, meaning that action isn’t always the first path you should take. 

Why is action bias negative when it comes to cybersecurity?

Responding too quickly to any situation is a dangerous game, often leading to wrong decisions due to its hasty nature. Without time to think about the logical plan of action, even cyber security experts can rapidly make a fatal error and cost their company a huge sum of money. 

Let’s look at some classic examples of where action bias can be fatal when it comes to cyber security:

  • Phishing Emails – When an email lands in your inbox or a text arrives from a number you don’t recognise telling you that you need to take action right away to secure a system, you probably spring into action and direct yourself to the links included in the message. While this may just be one of your cyber security tools updating you, it could also be a phishing email or text, with your hasty response overriding the checking of the email address and the links or attachments it includes or double checking whether you’re familiar with the number. With phishing being responsible for over 90% of data breaches, this occurrence is a lot more common than you’d think. Prevention is always an effective tactic when it comes to phishing, as by using comprehensive email scanning tools, like the Check Point API, you’ll be able to stop the vast majority of phishing emails from even arriving in your inbox. Equally, Check Point’s MTD service offers the same coverage for text messages, providing this general entry point and covering even more of your bases. With this, you’ve instantly decreased the threat, preventing your employees from ever having to deal with the risk of their own action impulses.
  • Responding to Ransomware – The CEO of Colonial Pipeline, James Blount, paid $4.4 million to a hacker group after they said they had taken over his company’s systems. This rapid response was triggered by James wanting to regain access to his platforms and protect the company’s data. Just a few hours after he made the payment, his security team realized that they’d had total control over their systems the whole time, with the hacker group never having actually penetrated their system. His fast response was a case of action bias, with the simple difference between double-checking a threat and responding costing millions. Equally, by moving towards preventative strategies, you’re able to identify and stop a threat while it’s being downloaded, helping to kill the process as it’s taking action, instead of waiting to only suffer the consequences. Both phishing and ransomware demonstrate the dangers of action bias, with a prevention strategy often helping to radically decrease the chances of an event occurring. 
  • Poor Disaster Recovery – A common practice after a ransomware or malware occurrence is to check the systems and turn towards different disaster recovery protocols. The vast majority of IT users leave this up to chance, relying on Shadow Copies produced by Microsoft Windows as their backup plan. However, modern ransomware can easily find these shadow copies and disable their creation, leaving this action bias assumption of relying on them completely void. By moving to an endpoint protection, you’re able to carry out effective disaster recovery that has been planned ahead of time. This will counter the most common ransomware processes and ensure that you have a system in place to fall back on when disaster strikes. 
  • Leads to Burnout – When your security team is constantly having to deal with cyber threats that they’re not familiar with, a huge amount of pressure is placed upon them. Over time, this can lead to burnout, causing you to lose valuable staff to the pressure of the job. In fact, over 33% of cyber security professionals are considering quitting their jobs due to the continual stress of breach possibilities. By placing pressure on your team to react instantly, your favoring of action bias is costing you talent and demotivating your security team.

These are only a few examples of how the pressure of a security response, when combined with a need to spring into action, can be disastrous for a company and its staff. 

Instead of aligning your cyber security response with action bias, we always recommend you attempt to cultivate a methodical and logical response culture. 

Building a Business That Prevent Cyber Attacks

Before we move into the ways that your business can create a culture that responds better to threads, we must acknowledge that another fantastic way of protecting your teams and all of their data is to implement thorough prevention strategies. Through comprehensive prevention technology, your business is able to stop threats from ever occurring, using modern security tools to create a range of defenses that keep your business safe.

Leading cybersecurity defenses will always construct a multi-layer defense process. While ensuring your team is ready an breach event does occur, it’s equally important to have systems in place to ensure the chance of a cyberthreat is reduced. Configuring a prevention-first approach reduces the number of threats through two core mechanisms:

  • CDR (Content Disarm and Reconstruction)- When content is delivered to an employee in typical files like PDF, Word, or XLS, many don’t think twice before opening. By using a comprehensive security tool, you’re able to search through these files, find hidden embedded objects and any other javascript objects that will execute when the file is opened. By finding these dangerous aspects, malware is detected and extracted, ensuring that your employees are much safer when navigating this digital space. There are security products currently on the market that facilitate these defenses, like Threat Extraction by Check Point or Fortinet or by Cisco. What sets these apart from other companies is that their solution is an integral part of prevention, directly connecting to the holistic system rather than just posing as another containerized and disconnected security solution.
  • SandBox and Behavioral Analysis – When a file is flagged as potentially dangerous, an example of a real-time threat emulation tool response would be to put that file on hold, even during the download process, ensuring that your systems have ample time to double check its validity and comb through it for corrupted or dangerous elements. This advanced form of detection will put a stop to ransomware downloads and keep your team safe, ensuring that they’re less likely to run into a disastrous cyber security situation. Once again, both Check Point and Cisco have two solutions within this asset of prevention, known as Threat Emulation and Threat Grid respectively. These integrate directly into your platform, ensuring that you are always protected from any potentially dangerous files.

Part of creating an effective cyber security defense system is to ensure that you place as much focus on prevention as you do when attempting to create an efficient response culture. By using tools that are familiar with the MITRE ATT&CK Framework, you can continually construct preventative measures that counter the most common methods of infiltration. The more security verticals that an admin’s configurations cover, the more scope the defense system will have. 

While you can never block 100% of all threats, modern tech tools can radically decrease the amount of potentially dangerous files, elements, and scripts that make their way to your employees. If they have to deal with less threats, then you’re automatically helping to keep everyone safe through a prevention-first approach.

How to create a better response culture

As action bias is mostly an unconscious response, the first step towards changing your cyber security team’s habits is to address the elephant in the room. Discussing action bias, defining it, and demonstrating why it can negatively impact the team will bring people up to speed, helping them to understand why a change is needed.

After these initial discussions, there are three main steps that you should then take to create a better response culture. These are:

  • Building a Routine and Personal Resilience 
  • Practice Responses
  • Invest in a Security Operations Center (SOC)
  • Unifying Responses Through Technology

Let’s break these down further.

Building a Routine and Personal Resilience 

Action bias, in part, comes from a level of panic on the side of the cyber security defenders. If they haven’t experienced a breach before, they might be feeling a great deal of pressure, causing them to act irrationally.

Equally, if a hacker notices that your team is too quick to respond, they may work out that you have an inexperienced cyber security department, causing you to become a repeat target as they attempt to gain entry. Instead of letting hackers pressure your team, you should actively work on building up your team’s resilience within these hacking situations.

By having routines and processes in place that individuals can fall back upon in panic situations, then disaster events become much less intense and lose a lot of their shock factor. Removing shock and nerves can help your team keep a clear mind. In fact, Dykstra commented in their investigation that “We can help build resilience in the people, and resilience in the processes that we have in our organizations, so it isn’t so stressful in those situations.” 

In short, it’s all about getting your team accustomed to these situations, “they know what to do; they’ve done it before.”

Practice Responses

To help your team become more conscious of how they respond to a crisis event, you need to try and simulate these events as commonly as possible. Luckily, disaster and breach simulations are actually incredibly common within the world of cyber security. Known as penetration testing, you can split your team into two – the red team and the blue team.

Within this exercise, the red team will try to break into your systems, pulling hacking tactics from the MITRE ATT&CK Framework to attempt to forcibly breach your defenses. While the red team works, the blue team will act as the defenders, working methodically to stop the red team’s infiltration.

Running penetration tests gives your cyber security teams a safe environment in which they can experience what it feels like when a disaster event is occurring. By then planning out their response, with time to think about the best course of action, they can get used to the situation, making them more comfortable.

Then, when a real breach event occurs, your team will know not to leap into action, but will rather take their time and assess the situation closely before proceeding. Equally, those that are on the red team for the exercise are able to hone their skills, putting themselves into the shoes of a hacker to understand where they’re likely to attack and what they would do.

These pen tests are a fantastic way of training action bias out of your team and enforcing a better response culture. 

Invest in a Stable Security Operations Center (SOC)

A company’s security operations center will help a business to detect, monitor, and effectively respond to cyber-threats. While the other solutions proposed here focus on how you can ensure everyone is ready to respond, having a SOC in place ensures that you have the tools ready to respond in the right way. 

One of the most appropriate and effective solutions that will be launched by a SOC once a threat is detected is to correlate traffic into events, reducing the amount of data being processed. With this, the SOC is able to recommend the correct course of action, boosting your team’s ability to make a conscious decision.

Instead of falling back onto panic-based decisions, the recommendations and action courses recommended by your company’s SOC will ensure your team has all the information they need to make a recommendable decision. 

Unifying Responses Through Technology

A core aspect of having a well-organized security response is ensuring that all of your team knows exactly which technologies they should be relying on when a crisis event occurs. By using a first-class black hat defender for your business, you’re able to supply your team with all of the tools they’ll need to keep your systems safe.

Turning to a comprehensive tech solution that has a range of defense services and a history of their effective usage, you ensure that your team has the best tools available to them. By using a company’s penetration test simulations, you give your team the power to build up a working understanding of how these events occur, and what to do during them. With knowledge of the system, they’ll be ready to respond at a moment’s notice.

Then, whenever a breach event occurs, your team will all know exactly which tools, which protocols, and which defense systems they are all going to deploy. Using a catch-all security system instead of lots of disparate tools will build up the response fluidity, allowing for rapid responses without action bias. 

Of course, speed is still needed in cyber security responses, which is why having a useful security system at your team’s disposal with all the recommended tools in one is a great idea.

Final Thoughts

Action bias and responding too quickly to intense situations can often leave your organization much worse off than it would have been if you’d only taken a few minutes to plan a more structured response. From avoiding paying out money to hackers when its not required to ensuring that your team is accustomed to anxiety-inducing events and can keep a cool head, planning for disaster is a wonderful practice mechanism that your business should be incorporating.

By breaking down exactly why action bias is negative and then pushing for a better response culture in your business, you’re able to more effectively manage disaster events. With this, you’ll be keeping your organization, your staff, and all of your customer data safer for the long run.