By Andres Calderon, Cyber Resilience Officer, Centura Health
The risk-based approach is a widely adopted method for addressing cybersecurity challenges in organizations. This approach involves identifying potential risks, assessing their likelihood and impact, and developing mitigation strategies to reduce their likelihood and impact.
This risk-based approach is implemented across many silos of expertise that exist within organizations to address the resilience requirements of the company, silos such as Safety Management, Emergency Management, Business Continuity, Disaster Recovery, Governance Risk and Compliance, etc. Each silo of expertise has its own risk accounting method, approaches, metrics, and frameworks, loaded with biases and lacking the data to estimate risk. Simply stated, these silos of expertise manage risk using their own “risk astrology”!
The ease with which humans can be deceived by AI, fake posts, deep fakes, emails, fake calls, a link in social media, a QR code, etc., poses an increasing cybersecurity threat, making them vulnerable targets for malicious actors.
As we continue to estimate risk, we introduce biases that affect our qualitative judgment around risk quantification, some of these biases are:
- Availability bias – Tendency to overestimate the likelihood of events that are easily remembered or readily available in memory.
- Confirmation bias – Tendency to search for, interpret, and remember information in a way that confirms preexisting beliefs or hypotheses.
- Hindsight bias – Tendency to believe, after an event has occurred, that one would have predicted or expected the event beforehand.
- Anchoring bias – Tendency to rely too heavily on the first piece of information encountered when making decisions.
- Overconfidence bias – Tendency to overestimate one’s own abilities or knowledge, leading to unwarranted confidence in decision-making.
- Framing bias – Tendency to be influenced by the way information is presented, leading to different perceptions of the same risk.
- Groupthink – Tendency to conform to group opinions or beliefs, suppressing individual creativity and independent thinking.
- Negativity bias – Tendency to give more weight to negative information, leading to an overestimation of risk.
- Optimism bias – Tendency to underestimate the likelihood of negative events and overestimate the likelihood of positive events.
And if you think that you have the data to quantify the risk, to prevent these qualitative biases, here are some more biases for you to consider:
- Sampling bias: This occurs when the sample used to estimate the risk is not representative of the entire population. For example, if a study only includes participants from a certain age group or demographic, the results may not be applicable to the entire population.
- Reporting bias: This occurs when there is a tendency for people or organizations to report certain types of risks more often than others. For example, there may be a tendency to report more salient or easier to measure risks, leading to underestimating other types of risks.
- Confirmation bias: This occurs when there is a tendency to seek out or interpret information in a way that confirms preexisting beliefs or hypotheses about the risk. For example, if a person believes that a certain activity is very risky, they may be more likely to interpret any evidence in support of that belief.
- Survivorship bias: This occurs when only data from survivors or successful outcomes are used to calculate risk, leading to an underestimation of the true risk. For example, if a study only looks at people who have survived a certain disease, it may not accurately reflect the risk of mortality associated with that disease.
- Model bias: This occurs when the model used to calculate the risk is flawed or does not accurately reflect the underlying process. For example, if a model does not consider certain factors that are important for the risk, the calculated risk may be inaccurate.
- Hallucinations: The new term given to AI where wrong answers are generated due to factors, including overfitting, lack of diversity in the training data, or problems with the generative model architecture.
Let’s continue looking at risk.
In January 2022, the World Economic Forum made cyber-attacks its fourth top global risk. The issue of “systemic cyber risk” has garnered increased attention due to the potential for a singular cyber failure to propagate throughout interconnected digital systems, resulting in far-reaching and catastrophic consequences. Several recent events have served as illustrative examples of the unique challenges posed by systemic cyber risk. Two distinct incidents have brought to light the varying manifestations of this complex phenomenon: Log4J and the SolarWinds hack.
You are not sold yet?
Human fragility in real-world systems generally sets the conditions for an initial cyber trigger to cause widespread harm, we are the weakest link.
Cybersecurity is a complex issue that cannot be addressed through technology alone. The most challenging aspects of cybersecurity are currently socio-technical in nature, and the human factor continues to be the weakest and most obscure link in creating safe and secure digital environments. We talked about biases on risk perception, but our subjective and often intricate nature of human factors in the cybersecurity context is complex and the risk that it presents is impossible to quantify while trying to make business decisions. I say that it is impossible to quantify primarily due to a lack of consolidation of attributes pertaining to human factors, a lack of theoretical frameworks for how this affects human risk perception, and a dearth of in-depth studies on this subject.
The ease with which humans can be deceived by AI, fake posts, deep fakes, emails, fake calls, a link in social media, a QR code, etc., poses an increasing cybersecurity threat, making them vulnerable targets for malicious actors. Leveraging cognitive biases, emotional appeal, and social influence, cybercriminals can exploit human weaknesses to spread misinformation and orchestrate sophisticated attacks. As people often lack the time or resources to verify the veracity of the information they encounter, this creates a fertile ground for cyberattacks.
Please note that risk is not static; it changes constantly based on context and temporal factors. Risk is not a number in a heat map; it is a distribution with different patterns of variability. Risk does not happen in isolation; it is part of an ecosystem with many internal and external interdependencies. Risk is composed of variables that we don’t fully understand and can’t fully quantify, so we continue to make assumptions over assumptions.
Focus on Consequence Instead
The consequence-based approach acknowledges that the likelihood of an event can vary, so it focuses instead on evaluating and managing the potential impacts of that event. This allows organizations to prioritize their efforts and allocate resources to mitigate the most significant impacts first.
It is worth noting that certain vulnerabilities, like parallel movement and escalation of privilege, can enable attackers to gain significant control over a system or network. In such cases, even low-risk vulnerabilities ignored by the risk-based model can potentially lead to severe consequences when combined or leveraged in conjunction with these higher-risk vulnerabilities.