Most of us like to believe we have free will, but sometimes our human tendencies can get the better of us. Especially when we're overloaded or stressed out, our human brains subconsciously take mental shortcuts known as cognitive biases. These biases can influence our decision-making processes and, in doing so, shape our cybersecurity behaviors.
Cyber attackers are well aware of this psychological phenomenon, which is why they often try to "hack" our brains in phishing campaigns or other kinds of social engineering attacks. Here's a look at five cognitive biases in cybersecurity that, if left unaddressed, can put your business at risk. Then we'll explore how a password manager helps overcome these biases, giving your employees the tools they need to keep business data safe.
1. Decision fatigue
Making decisions can literally exhaust us, and we have to make a staggering number of them each day. According to Psychology Today, the average person makes 35,000 choices a day. These days, you probably have to make even more of these complex calculations just to safely navigate the new normal. It's a lot. When you get an email notifying you that one of your accounts has been breached, your first reaction may be, "What am I supposed to do?" It might not be immediately clear how you can protect yourself or your business , which means you might have to do some homework to figure out the right course of action. And depending on what you find out, you might have to add more work to your already overflowing plate. Decision fatigue often takes over at moments like these, tempting you to shrug and move on to something else. After all, that to-do list isn't getting any shorter and that budget report is due in two hours. The natural impulse is to just let it slide. A lot of people do just that, in fact. According to the Psychology of Passwords 2021 report, 45% of survey respondents did not change their password in the last year even after a breach had occurred.2. Hyperbolic discounting
If you've ever heard of the Marshmallow Test, in which small children are given the choice to either eat one marshmallow now or enjoy two of them later, then hyperbolic discounting will be a familiar concept. We humans have a tendency toward instant gratification that can sometimes work against our best interest, and this is especially true when it comes to cybersecurity. For example, you might decide to use the same password for all your accounts rather than take the trouble to set a unique password for each one of them. Ninety-two percent of people know that this is a risky practice, but 65% of us always or mostly still use the same password variation, according to the Psychology of Passwords. We might even know that setting secure passwords will benefit us and our colleagues in the long run by keeping us safer from cyber attacks, but it's hard to pass up the instant gratification of a single, easy-to-remember password.3. Optimism bias
Far too often, when confronted with a cybersecurity threat, we default to thinking something like, "How dangerous could it be?" or even, "What would a hacker want with my personal information, anyway?" Even though we're aware that cyber attackers are becoming more and more brazen, causing eye-popping damage as they lay siege to businesses and governments all over the globe, we assume we somehow won't be affected. Sadly, our rose-colored lenses make it hard to see the truth. According to the 2021 Data Breach Investigations Report (DBIR), 85% of data breaches involved a human element, whether through phishing, stolen credentials, or human error. But when we assume serious cyber attacks are something that happen to someone else, we're far more likely to click on the link in that email that seems a little off or publicly post personal information on social media, putting ourselves and our workplaces at risk.4. Herd mentality
Especially when we're tired and maxed out, it can be easier just to go with the flow. That's where the herd mentality comes in, inviting us to just do what everyone else is doing. But this cognitive bias in cybersecurity also comes at a cost. If we don't know anyone who takes cybersecurity seriously or if our company culture doesn't prioritize good password hygiene, we may just take those same shortcuts everyone else is taking. We might freely share passwords with our colleagues over unsecured channels like email, or we might even copy what a coworker does and just put our passwords on a Post-It note right on the monitor at our workstation. In doing so, we could unintentionally expose our businesses to a cyber attack or even an insider threat, in which someone with access to the office notices that Post-It and uses the information on it to log into the company network.5. Authority bias
Much as we might not like to admit it, we sometimes are inclined to trust authority figures and do what they ask of us, even if we have reservations about their request. So when an urgent email from the boss shows up in the inbox, we're highly likely to hop to it and respond right away. Cyber criminals know that we have this tendency, though. This is why there's a whole subcategory of social engineering attacks called CEO fraud or business email compromise (BEC), in which bad actors impersonate a chief executive or high-level leader at an organization to trigger a desired response. In this type of scam, attackers impersonate a CEO in an email and urgently request that a payment be sent to a specific account or certain sensitive information be shared right away. It might happen while the executive is out of the office, and it might include a demand to keep the email exchange confidential. Especially in a work from anywhere world, when it's no longer a given that we're all in the same physical office, it may be hard to verify that an email is legitimate. Falling victim to this authority bias, however, can seriously compromise the company.How a password manager helps keep your business safe
Human nature is a powerful thing, and it's not easy to hold strong against cognitive bias in cybersecurity. Fortunately, smart tools like a password manager can make this task a lot easier. For example, a good password manager that comes with dark web monitoring features can mitigate decision fatigue by giving employees a timely heads up when their accounts have been breached and help them quickly reset the passwords for those accounts. A password manager can address hyperbolic discounting in two ways. It includes an encrypted vault where employees can securely and conveniently store all of their passwords, accessing them from their device of choice. It also features a password generator tool that makes it easy to create new, secure passwords. Meanwhile, MFA tools can help the IT team lock down employee accounts with powerful biometric encryption or IP address policies, making it harder for attackers to get in the front door if someone on staff falls victim to optimism bias. These advanced IT controls can come in handy in the case of CEO fraud that takes advantage of our authority bias, too. Herd mentality is easier to manage with a password manager, too. Rather than sending out login credentials over open electronic channels where cyber attackers may have an opportunity to intercept them, employees can just use the password manager's secure password sharing feature. Single sign-on (SSO) capabilities also tackle this cognitive bias by giving everyone at the company one streamlined method for logging into all their work apps and accounts.Overcome cognitive bias in cybersecurity
Much as we might like to think we're perfectly rational actors that could never succumb to cognitive bias in cybersecurity, research shows that's not exactly true. We suffer from biases like decision fatigue, hyperbolic discounting, and optimism bias without even realizing it, and hackers design their attacks with these human weaknesses in mind. In addition to managing your passwords, a password manager can help you manage cognitive biases so they don't get the better of you — and your company. With the right tools to support your staff, you can rest easy knowing you're keeping your business data safe. Are your employees still feeling overwhelmed? Learn how to combat breach fatigue by clicking the button below.