I recently had the delectable pleasure of collaborating with some fine folks on a paper about behavioral factors in infosec incident response, specifically about the opportunity cost of action bias – the human tendency to favor action over inaction – in these activities. The influence of cognitive bias in various infosec endeavors is an underexplored area of research and this paper aims to change that, starting with supporting more constructive incident response decision-making.

There are a few points we made in the paper that I especially want to highlight:

  • Overlooking opportunity cost – the loss of potential gain from other alternatives when a choice is made – is rife within infosec decision-making across all activities, not just incident response (IR); get hyped for more on this from Josiah and me soon
  • One way to start incorporating opportunity cost in practice is by considering the “null baseline”; in the context of incident response, it means considering the option of waiting to act
  • Action bias is especially bad for IR because any option may be chosen without regard for its cost or value – and such rushed decisions can lead to suboptimal outcomes
  • We use the Sony Breach as a case study of this and it’s worth pondering how much money they lost from the heat-of-the-moment decision to shut down all computers along with the corporate network once they discovered the intrusion
  • This problem extends beyond security-specific IR, too – for instance, restarting database services that are running “hot” can exacerbate and extend the incident, despite reflecting a common knee-jerk response
  • Part of incident preparation involves ensuring more choice options are available during response; for example, reliable logging pipelines would enable the rebuild option during response without sacrificing visibility into system behavior
  • Our hypothesis is that thinking about a temporary delay is more helpful than a “do nothing” mentality as well as the “do something” (i.e. action bias-driven) mentality – the paper, of course, elaborates on why we believe so
  • Practitioners frequently conflate ambiguity and uncertainty; in incident response, collecting more information (solving uncertainty) will not always guide you towards which choice will result in the optimal outcome (i.e. it won’t resolve ambiguity)
  • Opportunity cost in infosec must also be considered with respect to its externalities; decisions made by defenders will impose costs on other stakeholders, whether users, software engineers, or even society – and those costs are woefully neglected today
  • Pre-mortems, post-mortems, and chaos engineering experiments can all help incident response teams build “muscle memory” to support “watchful waiting” rather than succumbing to the instinct to act immediately
  • And honestly our send-off just straight up slaps: “To avoid a breach is to try and prevent it. Overcoming action bias and properly pricing in opportunity cost instead requires a focus on preparation.”

The paper’s venue is the upcoming Human Factors and Ergonomics Society Annual Meeting in October 2022, but my co-author Josiah Dykstra published it on his site for the viewing pleasure of all mortals out there seeking enlightenment: https://josiahdykstra.com/wp-content/uploads/2022/06/HFES2022_OpportunityCostAndActionBias.pdf

Abstract

The hours and days immediately following the discovery of a cyber intrusion can be stressful and chaotic for victims. Without a documented and well-rehearsed incident response plan, people are prone to costly fear-based reactions. Action bias is the human tendency to favor action over inaction. It feels better for victims to do something even if rushed decisions are suboptimal to thoughtful, careful alternatives. Furthermore, the null baseline of doing nothing or watchful waiting can sometimes be advantageous. This paper describes an application of opportunity cost to action bias. While these insights are not yet backed by empirical data, this is the first work to examine the intersection of opportunity cost with action bias in cybersecurity incident response. Using Sony Pictures Entertainment as a case study, we discuss the implications of opportunity costs from acting prematurely and, conversely, the opportunity costs of waiting to act.

Citation

Opportunity Cost of Action Bias in Cybersecurity Incident Response. Josiah Dykstra, Kelly Shortridge, Jamie Met, Douglas Hough. Human Factors and Ergonomics Society Annual Meeting, October 2022.