October 5, 2022
by Cyber Ranch
Josiah Dykstra, Cybersecurity Technical Fellow at the NSA and Author, kicks up the dust off some previous topics discussed on the Ranch and deepens the conversation on cybersecurity myths and behavioral economics. Prior to the release of his latest book, Cybersecurity Myths and Misconceptions, Josiah breaks down some biases, fallacies, myths, and magical thinking that cybersecurity practitioners fall victim to. Josiah taps into cyber’s psyche and exposes the errors behind practitioners playing make-believe.
[00:00] Researching cybersecurity psychology & other exciting industry mashups
[09:22] Security logical fallacies: straw man, gambler’s, & ad hominem
[15:19] Cyber cognitive biases: confirmation, omission, and zero risk bias
[19:24] Perverse incentives & cobra effect: security vendors, bug bounties, & cyber insurance
[25:55] Creating an accurate measure of how secure we really are
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
In the context of cybersecurity, what are some examples of magical thinking?
Magical thinking, or the belief that thoughts can influence the material world, appears alongside the most common assumptions in cyber, according to Josiah. Recognizing the harmful practice of cyber practitioners blaming users for bad decisions, Josiah uncovered that many security pros believe the user will make the right choice without any additional training. Unfortunately, this magical thinking only leads to users being unprepared and uneducated.
“We assume users will pick good passwords without providing them education. We can't just think in our heads that things will go right, that never happens. We need to make careful decisions, whether it’s how we configure systems, or develop software, or conduct training.”
Can you walk us through common fallacies in cybersecurity, like the gambler's fallacy?
While the straw man fallacy and ad hominem are often easy to identify in the cyber industry, Josiah explains that the gambler’s fallacy is just as pervasive and detrimental. The gambler’s fallacy involves seeing trends and “hidden” meanings in independent events. Most often, in security, cyber practitioners will believe a breach won’t happen if a company recently had a breach, even though these breaches would have nothing to do with each other.
“Imagine you’re flipping a fair coin, like a penny, and you get heads, heads, heads. Your brain starts to see an error, like, ‘I'm due for tails, if I had so many heads in a row.’ The fact is, the penny doesn't care about the last flip. These are all independent events.”
What about common cyber biases, such as zero risk, confirmation, and omission bias?
The cyber industry is ripe with biases. In fact, over 180 cognitive biases exist. Josiah’s book tackles a select few that appear time and time again, including zero-risk bias. Zero-risk bias is extremely common in cybersecurity. Security is about risk— understanding it, preventing it, and reacting to it. Many cyber companies will put all their eggs in one expensive basket, such as encryption, believing that this will create the impossible scenario of them having “zero” risk.
“We talk in the book a little bit about how you can never get risk to zero, right? Cybersecurity is always about risk management. There is somewhere between more than zero and less than 100% chance that your computer will get infected today.”
“The goal of a security vendor is to keep you secure.” Why is that a misconception?
Just like biases and fallacies, cybersecurity misconceptions can be costly mindset mistakes that lead to easily preventable errors. Josiah wants us to consider that security vendors are not altruistic, they’re running a business and making a sale. While many vendors have a goal to keep customers secure, that will not be the only goal they have. Josiah recommends taking precautions and never assuming the vendor will always put security first.
“The goal of any business is to make money. That's why that business exists. You could argue with me that it isn't an ‘either or.’ They can make money and we can be secured, we can have both, but that's an ideal world. I think, in reality, it's a little bit bumpier than that.”
Check out Josiah’s book, Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls That Derail Us
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor. The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as w...
This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc. Another one of Allan's illustrious guests with 25 years in cyber. (https://www.linkedin.com/in/schawacker/). The topic started as all that th...
This episode is jam-packed with wisdom that is delivered at a rapid pace. Some folks will find themselves rewinding and taking notes. Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to ta...
To celebrate the 100th episode, Allan decided to let the audience participate in the show. 21 people called in and answered a wide variety of questions about cybersecurity. It is a fantastic show and it is very fun to hear all the different perspec...
This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'? Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventu...
In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk toleranc...
Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incr...
Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture. Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-c...
This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes: ...
In this week's show, Allan and his guest Andy Bennett (a very clever CISO with a heck of a pedigree) decide to tackle some thought exercises with a series of questions that all start with "Should the CISO...?" Should the CISO be the one to decide whe...