Availability Bias in Cybersecurity

When presented with too many choices, people can be paralyzed and pick the one that’s most available to them. This can be either the choice they have heard of the most, or the last option they heard. This is due to a psychological phenomenon known as the availability heuristic. Decision making is very hard for human beings because we always will have limited information. In order to combat this problem, we take shortcuts known as heuristics. These shortcuts guide us through our lives by giving us rules of thumb to follow when faced with uncertain outcomes.

As mentioned earlier, the availability heuristic leads us to choose options that are most readily available in our memory. This is due to the amount of exposure that we receive to a stimulus and its relative strength. This does help when for small decisions like what brand of chips to buy at the store, but for larger decisions it can cloud our judgement. When making decisions in a business environment you should examine all the facts and take all options into account properly. However, with an almost endless supply of options you can become paralyzed and fall back on a heuristic to make a decision that could prove to be a very expensive mistake.

One such example occurs when purchasing a solution for data security. There are an incredible amount of solutions out there that all attempt to accomplish different things. The categories for solutions include: endpoint security, antivirus, encryption, threat detection, and more. All of these have the same goal of protecting your company from the numerous cyberthreats that occur on a daily basis. However, most of these solutions require another piece of protection to supplement its functionality. An antivirus will do its best to detect threats, but if one gets past then it will be open season on your company. Encryption won’t do much good if your employees must be the ones deciding what gets protected. This is because humans will make mistakes. Most businesses require some mix of these products in order to keep their company as safe as possible. This leads to a massive number of potential combinations to consider, and a very hard decision for the CISO to make.

However availability heuristics can be overcome. The first and most important of which is to form a team with a wide variety of viewpoints and experiences. This will limit the groupthink effects that often plague teams made up of similar people. If you keep your group members in check by questioning their ideas, it will be much easier to make informed decisions. Some may say this will lead to a hostile business environment but just the act of questioning in itself is not bad. It only becomes bad with bad intentions. If group members are grilling others about the specifics of a plan or service then it comes from a good place and will help fight availability biases.

It can be easy to settle for the biggest name in security, but that doesn’t necessarily mean that it is the most effective. Make sure to evaluate options that get the job done, not what is the most readily available.