In February, Bitsight released a new Bitsight Insight examining the cyber health of the U.S. economy and found that 82% of the 460 companies assessed had an externally observable security compromise in 2013. Examples of security events observed by Bitsight include communications between compromised computers inside an organization and external computers known to be under the control of an attacker, distribution of malware, and propagation of malicious email. Although these security events do not necessarily equate to data loss, each one is an indication that the organization has been compromised in some manner.
However, in spite of this evidence of widespread compromise among America’s largest companies (our analysis was based on a subset of companies in the S&P 500), corporate and IT leaders seem to feel quite confident about their security posture.
Take for example the 2014 Global State of Information Security Survey, conducted by PriceWaterhouseCoopers and CSO Online, that found executives to be quite confident in the robustness of their security initiatives. Seventy three percent of the North American executives surveyed believe that their security programs are effective. Then there is also the 2013 (ISC)2 report on the information security workforce, developed in partnership with Booz Allen Hamilton and Frost & Sullivan, which found that the majority of respondents believe that their organizations would perform better or the same relative to 12 months earlier. Respondents with C-level and officer job titles were more optimistic on readiness than respondents with lower job titles. And lastly, the Trustwave 2014 Security Pressures Report found that 72% of respondents in the U.S. feel safe from IT security threats. Nearly 60% of the respondents were CIOs, CISOs, VPs or Directors.
Optimism Bias Leads to False Confidence in Security
So why are America’s corporate and IT leaders so confident in their security posture? Optimism bias is one reason. According to the famous cognitive neuroscientist Tali Sharot, 80% of people have optimism bias. They overestimate the likelihood of experiencing good events and underestimate the likelihood of experiencing negative events. “We're optimistic about ourselves, we're optimistic about our kids, we're optimistic about our families, but we're not so optimistic about the guy sitting next to us,” she says in her TED Talk. People tend to believe that their desired outcomes will indeed happen and that their goals will be met. They know that bad things do happen, but assume these bad things will happen to someone else. This is why, in spite of knowing that 40% of marriages in the western world end in divorce, newlyweds almost always say their chance of divorce is 0%.
Another reason for this false confidence is that many business leaders simply do not understand cyber security risk. A report issued in January 2014 by Lancope and Ponemon Institute titled Cyber Security Incident Response: Are we as prepared as we think? found that corporate leaders in the U.S. and U.K. are often in the dark on cyber security issues. Only 20% of survey respondents said their executives are frequently briefed on cyber threats.
How to identify, quantify, and mitigate cyber risk are questions often left to the “techies” in the company. Executives believe that they have hired the right management team, and they in turn have hired the right people to manage security risk. In addition, security spending in most North American companies has grown from 2012 to 2013 and will likely increase again in 2014. Therefore, many executives believe, the company’s security posture must be good.
When it comes to cyber risk, the mismatch between perception and reality is great. Natural optimism bias combined with a lack of understanding of cyber risk can lead business executives believing that their businesses are secure. While cyber risk may never go away, understanding the reality can help many companies take action to lower this risk.
My next post will explore reasons for this optimism bias and how security teams can work to address it.