Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

4/24/2020
02:00 PM
Tamir Hardof
Tamir Hardof
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Find Your Framework: Thinking Fast and Slow

Economist Daniel Kahneman's classic book has lessons for those in security, especially now.

In his groundbreaking book, Thinking Fast and Slow, Nobel Prize-winning economist Daniel Kahneman lays out the conflict in our minds between "the impulsive, automatic, intuitive, or System 1, and the thoughtful, deliberate, calculating System 2. As they play off against each other, their interactions determine how we think, make judgments, and act." This book summarizes years of his research into behavioral economics and demonstrates how these two thought systems can have the same inputs yet arrive at different results.

I've been thinking about this book as I talk to my colleagues in cybersecurity. Everyone is in a mad rush. The pressure is on to make changes. The new reality of having a completely remote workforce is putting immediate and acute strains on the current way of doing business. From access to endpoints, firewalls to services, enterprise operations weren't designed for this. At the same time, malicious actors are living down to their reputation and taking advantage. According to the FBI, attacks are already up.

What does "thinking fast and slow" mean in this context? For business leaders, it means that we need to be deliberate but decisive. We need to think about dependencies and implications before acting. Often, the best decision isn't the one that gets you to a destination the fastest but one that gets you there at a reasonable amount of time with a minimum amount of risk.

There are many lessons in Kahneman's book that security leaders can use to avoid enabling malicious actors at the same time as employees.

Framing: For Kahneman, framing is all about how you present information. In the book, the author conducts an experiment in which the subjects were asked whether they would opt for surgery if the "survival" rate is 90%, while others were told that the mortality rate is 10%. Same situation, but vastly different results because of the presentation. How a security leader sets goals; quantifies results, objectives, and expectations; and presents his or her options and recommendations is the first measure of success. This is especially important at a time of massive change, when board interest is at its apex and broad organizational support is required.

Sunk costs: According to Kahneman, people tend to "throw good money after bad" in part to avoid feelings of regret. In business, this results in investing in bad projects solely because they've already been invested in. Is it more emotional, a fear of regret, or fear of being exposed to their colleagues for failure, for needing to take a new approach? Are these decisions being made, or not made, for the right reasons?

Overconfidence: If something is familiar to us, we tend to have undue confidence in what the mind believes it knows. The lesson for security leaders is that doing things as they've always been done, just bigger or faster, isn't always the best answer.

Choices: We tend to address problems in isolation. Kahneman's research shows that "when other reference points are considered, the choice of that reference point (called a frame) has a disproportionate impact on the outcome." What does that mean for the security choices we are making or not making? These decisions have so many dependencies and implications that making decisions about perimeter security, or access solutions, or firewall policy in isolation can have far-reaching negative consequences.

We all feel the pressure to act, to be an agent of change, and come through for the organization during this incredibly difficult time. Kahneman, a behavioral economist, would tell us to take emotion out of our decision-making. Easier said than done — that's why it takes work! Despite having nothing to do with our day jobs, Thinking Fast and Slow can provide a framework for better decision-making and, when we need it most, protect us from our own worst impulses.

I'd be interested to hear if there are any books that you've found yourselves thinking about in recent weeks. If so, let me know what it was and why in the comments. Thanks for reading.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Tamir Hardof is Chief Marketing Officer at Axis Security. Tamir is responsible for leading all marketing activities for the company. Prior to joining Axis Security, Tamir was Vice President of Marketing at Kenna Security where he led all corporate, partner, and product ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Getbestbusinesscoach
50%
50%
Getbestbusinesscoach,
User Rank: Apprentice
5/11/2020 | 6:07:03 PM
Economic Growth Strategy 2020
Nice article Tamir it helps a lot and provide the overview on making new action plans and its implementation, I request you to review my blogs on economic growth on https://www.getbestbusinesscoach.com/
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.