Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/28/2021
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Danger of Action Bias: Is It Always Better to Act Quickly?

Experts discuss the meaning of action bias and how it presents a threat to IT security leaders, practitioners, and users.

When a data breach hits, the best response is to act quickly and forcefully … right?

Not necessarily, experts say. The impulse for cybersecurity pros to have control over a situation is common — after all, you don't want to be the CISO who didn't act after learning about an attack — but hastily made decisions may do more harm than good or create a problem where one didn't exist.

Action bias, a subset of cognitive bias, describes the human tendency to favor action over inaction. This is the perceived urgency that tells you, "Don't just stand there, do something!" even when there's no evidence that action will be helpful. Cybersecurity practitioners, along with healthcare workers and air-traffic controllers, are among the professionals who face this bias on a regular basis.

There are a couple of reasons why action bias strikes, says Doug Hough, senior associate at the Johns Hopkins University Bloomberg School of Public Health. Sometimes the motivation is to show leadership or demonstrate value. Action bias also preempts second guessing. Perhaps you didn't do the right thing by acting, but at least you did something, as opposed to doing nothing.

In some cases, though, it's better to take time in reacting to a situation rather than jumping in with both feet. Hough uses the example of a soccer goalie: Sometimes the best move for a goalie is to stand in the middle of a goal, not jump to one side or the other. What looks like inaction is a deliberate choice; the goalie is being strategic in waiting to see where the ball goes.

The same applies in the professional realm, where slowing down responses can lead to a better outcome. "Sometimes it's better to let issues and problems percolate a bit … and understand them enough, so that you can really attack the problems intelligently and efficiently," Hough explains.

Josiah Dykstra, technical fellow at the National Security Agency's Cybersecurity Collaboration Center, uses phishing as an example. An employee who receives a phishing email that demands they take action will feel compelled to act, whether that means clicking a malicious link or downloading an attacker's attachment. The urgency they feel leads them to make the wrong choice.

"When instead, if they slowed down and thought more carefully about what to do, they might not become a victim in the same way," he says. "That impulse to get control shows up in all kinds of situations, whether we are users, cybersecurity defenders, or leaders."

Ransomware is one scenario in which these three groups act very differently, Dykstra continues. If an employee's machine is infected with ransomware, their immediate reaction is to try and get their data back. They aren't aware of the many security mechanisms put in place that were meant to stop this problem.

Defenders have a different view. They want to jump into action right away to figure out how this problem occurred so they can fix it. Those in security leadership have another reaction. From their perspective, the rational thing is to say, "This can never happen again; we can never allow ransomware." They're willing to spend more money and allocate more budget to ensure there isn't a repeat attack.

"From my perspective as a user or a cybersecurity defender, that seems kind of crazy; it seems like overkill," Dykstra says. "But my view of the problem is quite different than the user's or the executive leadership's."

The attitude of "this can never happen again" can make action bias worse, Hough adds. The business feels they have to do something — anything — to prevent another incident, and if/when that incident does happen, they feel the pressure to respond instantaneously. But without a process to address the situation, "act fast" could cause long-term damage to organizations and their employees.

Long-Term Effects & Proactive Steps
Just as it plays a role in responding to attacks, action bias plays a role in the stress, burnout, and mental fatigue affecting security practitioners, the experts say.

From a defender's perspective, the attacks never stop, says Dykstra. Organizations have set impossible goals, such as "don't allow any bad things to happen," which puts continual pressure on employees to achieve goals that often can't be met. The buildup of these situations is contributing to stress that will continue to increase as the crises will never stop.

"Hackers are incentivized to keep trying," he adds. "They will keep coming over and over again, but we don't need to let that lead to burnout. We can help build resilience in the people, and resilience in the processes that we have in our organizations, so it isn't so stressful in those situations — they know what to do; they've done it before."

Both Hough and Dykstra agree security teams can do more to prepare for attacks so the immediate reactive choices are more routine. Creating resilience in people and processes can lessen the stress when attacks hit and help employees, practitioners, and leaders act quickly with confidence.

They advise conducting tabletop exercises and red teaming to create and practice a routine for responding to an attack. Going through the exercise and building this process will help identify who must be in the room to solve certain problems, what everyone's individual roles will be, and how they will work together to react to a crisis. The idea is not to sit still and let bad situations unfold but to give the situation forethought and prepare to respond more appropriately.

"In a sense, you're developing a process, not an answer," Hough says. "It's not that you'll develop the answer when every single thing comes along, but you have a structure of how you should proceed, which would then enable you to avoid, or at least ameliorate, action bias."

Hough and Dykstra will discuss the effects of action bias, its effect on the cybersecurity industry, and how to address it in an upcoming Black Hat talk entitled "Action Bias and the Two Most Dangerous Words in Cybersecurity."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41393
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
CVE-2021-41394
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
CVE-2021-41395
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
CVE-2021-3806
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.