Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

End of Bibblio RCM includes -->
02:00 PM
Connect Directly

The Danger of Action Bias: Is It Always Better to Act Quickly?

Experts discuss the meaning of action bias and how it presents a threat to IT security leaders, practitioners, and users.

When a data breach hits, the best response is to act quickly and forcefully … right?

Not necessarily, experts say. The impulse for cybersecurity pros to have control over a situation is common — after all, you don't want to be the CISO who didn't act after learning about an attack — but hastily made decisions may do more harm than good or create a problem where one didn't exist.

Action bias, a subset of cognitive bias, describes the human tendency to favor action over inaction. This is the perceived urgency that tells you, "Don't just stand there, do something!" even when there's no evidence that action will be helpful. Cybersecurity practitioners, along with healthcare workers and air-traffic controllers, are among the professionals who face this bias on a regular basis.

There are a couple of reasons why action bias strikes, says Doug Hough, senior associate at the Johns Hopkins University Bloomberg School of Public Health. Sometimes the motivation is to show leadership or demonstrate value. Action bias also preempts second guessing. Perhaps you didn't do the right thing by acting, but at least you did something, as opposed to doing nothing.

In some cases, though, it's better to take time in reacting to a situation rather than jumping in with both feet. Hough uses the example of a soccer goalie: Sometimes the best move for a goalie is to stand in the middle of a goal, not jump to one side or the other. What looks like inaction is a deliberate choice; the goalie is being strategic in waiting to see where the ball goes.

The same applies in the professional realm, where slowing down responses can lead to a better outcome. "Sometimes it's better to let issues and problems percolate a bit … and understand them enough, so that you can really attack the problems intelligently and efficiently," Hough explains.

Josiah Dykstra, technical fellow at the National Security Agency's Cybersecurity Collaboration Center, uses phishing as an example. An employee who receives a phishing email that demands they take action will feel compelled to act, whether that means clicking a malicious link or downloading an attacker's attachment. The urgency they feel leads them to make the wrong choice.

"When instead, if they slowed down and thought more carefully about what to do, they might not become a victim in the same way," he says. "That impulse to get control shows up in all kinds of situations, whether we are users, cybersecurity defenders, or leaders."

Ransomware is one scenario in which these three groups act very differently, Dykstra continues. If an employee's machine is infected with ransomware, their immediate reaction is to try and get their data back. They aren't aware of the many security mechanisms put in place that were meant to stop this problem.

Defenders have a different view. They want to jump into action right away to figure out how this problem occurred so they can fix it. Those in security leadership have another reaction. From their perspective, the rational thing is to say, "This can never happen again; we can never allow ransomware." They're willing to spend more money and allocate more budget to ensure there isn't a repeat attack.

"From my perspective as a user or a cybersecurity defender, that seems kind of crazy; it seems like overkill," Dykstra says. "But my view of the problem is quite different than the user's or the executive leadership's."

The attitude of "this can never happen again" can make action bias worse, Hough adds. The business feels they have to do something — anything — to prevent another incident, and if/when that incident does happen, they feel the pressure to respond instantaneously. But without a process to address the situation, "act fast" could cause long-term damage to organizations and their employees.

Long-Term Effects & Proactive Steps
Just as it plays a role in responding to attacks, action bias plays a role in the stress, burnout, and mental fatigue affecting security practitioners, the experts say.

From a defender's perspective, the attacks never stop, says Dykstra. Organizations have set impossible goals, such as "don't allow any bad things to happen," which puts continual pressure on employees to achieve goals that often can't be met. The buildup of these situations is contributing to stress that will continue to increase as the crises will never stop.

"Hackers are incentivized to keep trying," he adds. "They will keep coming over and over again, but we don't need to let that lead to burnout. We can help build resilience in the people, and resilience in the processes that we have in our organizations, so it isn't so stressful in those situations — they know what to do; they've done it before."

Both Hough and Dykstra agree security teams can do more to prepare for attacks so the immediate reactive choices are more routine. Creating resilience in people and processes can lessen the stress when attacks hit and help employees, practitioners, and leaders act quickly with confidence.

They advise conducting tabletop exercises and red teaming to create and practice a routine for responding to an attack. Going through the exercise and building this process will help identify who must be in the room to solve certain problems, what everyone's individual roles will be, and how they will work together to react to a crisis. The idea is not to sit still and let bad situations unfold but to give the situation forethought and prepare to respond more appropriately.

"In a sense, you're developing a process, not an answer," Hough says. "It's not that you'll develop the answer when every single thing comes along, but you have a structure of how you should proceed, which would then enable you to avoid, or at least ameliorate, action bias."

Hough and Dykstra will discuss the effects of action bias, its effect on the cybersecurity industry, and how to address it in an upcoming Black Hat talk entitled "Action Bias and the Two Most Dangerous Words in Cybersecurity."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...