5. Explain how bias can influence cyber security (AC 1.5)

Confirmation Bias Confirmation bias is when you search for information in a way that confirms your suspicion or belief. For example, your organisation gets hacked, and because you keep up with the current events, where a lot cyber attack gets blamed on the Russians, you believe this attack on your organisation was done by Russians too. You will find evidence that points towards Russia even when it's not clear where the attack came from. The confirmation bias will fill in the blanks for you. It's easy to get swept by trends and but when approaching any investigation, it's important to keep an open mind and find the correct culprit. Fundamental attribution error This is a cognitive bias, where you attribute behaviours of others to internal factors such as personality, rather than external factors such as situational constrains. What this basically means, that we find easier to blame our colleagues/friends such as old people being less IT competent, than the actual reason like their device actually breaking through no fault of their own. (Fun fact, I know a 85-year gentleman more learned in Linux than me ^_^ ). Sometimes IT professionals will jokingly refer to this as "Problem Exists Between Keyboard and Chair" - PEBKAC or "Problem in Chair, Not in Computer" - PICNIC. Aggregate bias This is treating individuals through a racist, sexist, classist or ageist lens. For example, "Everyone from [REDACTED] are always falling for phishing scams". This bias is a) very inappropriate for a workplace or any place, b) cyber professionals with this bias will overlook the true cause of problem, for example, people from that country are simply being more targeted by phishing email and thus increasing the number of victims. The framing effect This bias is all about how data is presented. Any data can be presented in positive or negative way and people will react differently to it. When talking or typing, the choice of words is important as it will greatly impact the effect what message we're trying to get across. A good example is: "one in five companies never recovered from a brutal, crippling ransomware attack" - An information presented this way makes ransomware sound as a high risk and managers upon hearing this may overinvest in countermeasures. An opposite way of saying this: "four out of five companies successfully mitigated the a little thing called ransomware". This downplays the risk, and decision makers might not invest sufficient funds in ransomware defence. It's crucial to present data without any bias and stick strictly to the point.