October 5, 2022
by Cyber Ranch
Josiah Dykstra, Cybersecurity Technical Fellow at the NSA and Author, kicks up the dust off some previous topics discussed on the Ranch and deepens the conversation on cybersecurity myths and behavioral economics. Prior to the release of his latest book, Cybersecurity Myths and Misconceptions, Josiah breaks down some biases, fallacies, myths, and magical thinking that cybersecurity practitioners fall victim to. Josiah taps into cyber’s psyche and exposes the errors behind practitioners playing make-believe.
[00:00] Researching cybersecurity psychology & other exciting industry mashups
[09:22] Security logical fallacies: straw man, gambler’s, & ad hominem
[15:19] Cyber cognitive biases: confirmation, omission, and zero risk bias
[19:24] Perverse incentives & cobra effect: security vendors, bug bounties, & cyber insurance
[25:55] Creating an accurate measure of how secure we really are
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
In the context of cybersecurity, what are some examples of magical thinking?
Magical thinking, or the belief that thoughts can influence the material world, appears alongside the most common assumptions in cyber, according to Josiah. Recognizing the harmful practice of cyber practitioners blaming users for bad decisions, Josiah uncovered that many security pros believe the user will make the right choice without any additional training. Unfortunately, this magical thinking only leads to users being unprepared and uneducated.
“We assume users will pick good passwords without providing them education. We can't just think in our heads that things will go right, that never happens. We need to make careful decisions, whether it’s how we configure systems, or develop software, or conduct training.”
Can you walk us through common fallacies in cybersecurity, like the gambler's fallacy?
While the straw man fallacy and ad hominem are often easy to identify in the cyber industry, Josiah explains that the gambler’s fallacy is just as pervasive and detrimental. The gambler’s fallacy involves seeing trends and “hidden” meanings in independent events. Most often, in security, cyber practitioners will believe a breach won’t happen if a company recently had a breach, even though these breaches would have nothing to do with each other.
“Imagine you’re flipping a fair coin, like a penny, and you get heads, heads, heads. Your brain starts to see an error, like, ‘I'm due for tails, if I had so many heads in a row.’ The fact is, the penny doesn't care about the last flip. These are all independent events.”
What about common cyber biases, such as zero risk, confirmation, and omission bias?
The cyber industry is ripe with biases. In fact, over 180 cognitive biases exist. Josiah’s book tackles a select few that appear time and time again, including zero-risk bias. Zero-risk bias is extremely common in cybersecurity. Security is about risk— understanding it, preventing it, and reacting to it. Many cyber companies will put all their eggs in one expensive basket, such as encryption, believing that this will create the impossible scenario of them having “zero” risk.
“We talk in the book a little bit about how you can never get risk to zero, right? Cybersecurity is always about risk management. There is somewhere between more than zero and less than 100% chance that your computer will get infected today.”
“The goal of a security vendor is to keep you secure.” Why is that a misconception?
Just like biases and fallacies, cybersecurity misconceptions can be costly mindset mistakes that lead to easily preventable errors. Josiah wants us to consider that security vendors are not altruistic, they’re running a business and making a sale. While many vendors have a goal to keep customers secure, that will not be the only goal they have. Josiah recommends taking precautions and never assuming the vendor will always put security first.
“The goal of any business is to make money. That's why that business exists. You could argue with me that it isn't an ‘either or.’ They can make money and we can be secured, we can have both, but that's an ideal world. I think, in reality, it's a little bit bumpier than that.”
Check out Josiah’s book, Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls That Derail Us
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Allan takes the show on the road again, this time at his all-time favorite conference: CISO XC! He asks a unique question of each guest, who represent a great deal of breadth in our industry: Dave Belanger, CISO at Bestow Insurance - What is the most...
Howdy, y'all! Allan is taking this week off to spend time with family and to give thanks for all the wonderful things in his life - including y'all! For those who don't track it, there is no Cyber Ranch Podcast four times a year: American Thanksgiv...
Warning, there might be some naughty language in this one! The challenge was issued!!!! Allan teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who won??? "Won"? Th...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest today is Evan Wolff, partner at Crowell & Moring, and Allan's favorite cyber attorney. Evan has led and managed 100s of investigations including cybersecurity, data breach, insider...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Tim Rohrbaugh, Founder/Principal at DefaultDenySec, former CISO for JetBlue Airways, advisor, investor: yup! Another Cyber Ranch guest with an awesome history! Tim and Allan were chattin...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! We're joined today by Jacqueline (AKA “Jack”) Powell, CISO at Allianz Life and former Deputy CISO at Hanes. She has also consulted, and has worked at Chevron, General Dynamics, and SACI. Jack h...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Kymberlee Price, strategic security consultant, Black Hat content review board member, former Sr. Director of Product Security at New Relic, former Principal Security Manager at Microsoft ...
Chris Tillett is a well-known figure in our industry. He is in product management and R&D at Palo Alto Networks. He is also a great guy, funny, and can wield the snark quite well. He is the perfect foil for Allan Alford as the two of them take...
Howdy, y’all, and welcome to The Cyber Ranch Podcast! Joining Allan this week is Ron Nissim, CEO @ Entitle. Yes, this is one of our rare shows with a vendor as a guest. Why? Because in this case, the vendor was more highly informed than any of Al...
Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University. He also serves as the faculty lead for the cyber policy specializatio...