I found this really interesting publication about cognitive bias in Cybersecurity:
And it got me wondering - how is cognitive bias prevalent in research, academia, or even just general institutions? Here are some ideas that I have. I don’t want to categorize them specifically (because I’ll probably just get it wrong) but someone else might.
Cognitive Bias in Research Cybersecurity
I infer that:
- because the general researcher must be working for the greater good, they cannot engage in any malicious or immoral practices with data, or privacy. (aggregate bias?)
- working on any research cluster under my institution ensures that I am completely protected.
- using a cloud provider means that I don’t need to worry about security
- If I run a service quickly and don’t use SSL, it’s probably okay for just this one time (some kind of collective action failure if then everyone doesn’t)
- I don’t understand what a CVE is, so it must be my system administrator’s problem.
- If I didn’t check and see it in my data, or if I didn’t clarify the rules for data on this cluster, there is no problem (this is covering a tendency to assume that it’s not you that is violating some privacy rule with an imperfectly cleaned dataset, but all those “other people.”)
- If I purchase a security product I am safe.
I think there are probably a lot of random examples that one might come up with, and I thought it would be an interesting discussion to have. And then importantly, how to overcome some of these biases? What do you think are common ones? Which are most important?