In 2015, financial services giant Prudential ran an experiment they called ‘magnets’.
The company labelled a series of yellow magnets with positive experiences, such as ‘graduation’ or ‘marriage’. Similarly, they labelled a series of blue magnets with negative experiences. Blue magnets said things like ‘divorce’ or ‘unemployment’.
The company then asked participants to stick the scenarios they’d personally experienced on a magnetic board. Participants did so, and the board was a fairly even mix of yellow and blue magnets – so a fairly even mix of positive and negative experiences.
Next, Prudential asked participants to stick magnets describing things that might happen in the future to a new board. The results were telling.
As opposed to a fairly even mix of yellow and blue magnets, the board depicting the future was filled almost entirely with yellow magnets. According to participants, the future was certain to be rosy.
The experiments demonstrates the optimism bias. The optimism bias in cyber security is one of the reasons cyber crime continues to soar.
A bias for optimism
To the psychologists behind the above experiment, the outcome wasn’t surprising.
Social psychologists and behavioural scientists have known for a long time that humans typically harbour an “optimism bias” – an inherent bias for optimism. In a classic demonstration, the neuroscientist Dr. Tali Sharot asked people to estimate their risk of contracting cancer at some point in their lifetime. At the time, actual risks were around 30% – but the average response was just 10%.
The optimism bias is an intriguing concept that comes with a host of benefits, such as shielding us from depression and ensuring we respond positively to failure.
Sadly, though, the optimism bias in cyber security leaves us overly-vulnerable to cyber attack.
The optimism bias in cyber security
It doesn’t take a great deal of thought to connect the dots.
People are optimistic. Because people are optimistic, they tend to underestimate risks. People therefore engage unnecessarily in overtly risky behaviour.
So when we receive emails designed to infect our machines with malware, we don’t necessarily treat them with the suspicion they deserve. Far too often, we’re optimistic about the outcome of clicking links – so end up clicking malicious links or opening malicious attachments.
And, thanks to our inherently optimistic nature, we expose ourselves (and the companies we work for) to cyber security threats we could easily avoid.
Controlling for the optimism bias in cyber security
You might be tempted to think controlling for the optimism bias in cyber security would be as simple as revealing its existence. Unfortunately, it’s not that simple – as Tali Sharot’s research went on to reveal.
After Dr. Sharot found people typically placed their chances of contracting cancer at around 10%, she revealed the chances were actually around 30%.
She then asked, once again, what participants thought their chances of contracting cancer over the duration of their life were. The average response?
The almost non-existent change is a classic demonstration of what academics label comparative optimism. Comparative optimism convinces us others are more likely to suffer negative experiences than we are ourselves.
If that seems surprising, bear in mind your chances of contracting cancer are 30%. Then ask yourself:
Do you really think your chances are just shy of 1 in 3?
“A worthwhile pursuit”
That said, all is not lost.
Although learning of the optimism bias might not change our attitudes, it is possible for the rational areas of the human brain to override their irrational counterparts and change the way we behave in practice. Prenuptial agreements offer a nice demonstration.
Newlyweds typically predict their chances of divorce to be around 0% – yet often pay for, prepare and sign prenuptial agreements. At least for some couples, rational thoughts dictate their behaviour.
Admittedly, forcing the rational areas of our brains to drive our behaviour isn’t natural and doesn’t come easy. But when it comes to cyber security, channeling rationality could overcome human biases and decrease the frequency and severity of cyber attacks.
Ultimately, that seems like a worthwhile pursuit.
Almost half of all UK businesses suffered some form of cyber security breach in the past 12 months. Whether we believe it or not, the dangers exist.
By understanding the multifaceted challenges of behaviour change it is possible to reduce the risks posed by these dangers.
That is something worth being optimistic about.