Cognitive Dissonance and Cybersecurity

Would it shock you to learn that between 1994 and 2003 the number of children diagnosed with bipolar disorder in the U.S. had skyrocketed from 25 out of every 100,000 kids to 1,000 out of every 100,000? An increase of 40X!

No one could figure out why.

There were many theories put forth by psychiatrists. These ranged from radical shifts in the process of growing up in the ten years between the 20th and 21st centuries to a dramatic increase in the practice of parents seeking psychiatric help for their children. Sociologists contend that the 10-year period between 1994 and 2003 revealed no significant cultural or social changes that might have caused such a surge while psychiatrists report that there were no increases in the diagnosis of other disorders that would have gone along with an increase in family psychiatric visits during that period either. In fact, the suicide rate which normally accompanies bipolar disorders actually decreased by 23 percent during those years.

So, if the number of children suffering from bipolar disorder hadn’t increased and the number of parents seeking psychiatric help for their kids hadn’t increased, maybe all that changed was the number of children being diagnosed.

According to "Sway, The Irresistible Pull of Irrational Behavior" by Ori and Rom Brafman, this diagnostic trap is extremely common among us humans and it affects not just average folks like me, but also really smart people who have graduated from medical school and practice psychiatry for a living. All of us apply labels to people and things before we dig in to see what is going on either with relationships or events based on our preconceptions and biases. Once those labels are applied, it is difficult for even the brightest of us to pull back and consider other alternatives.

In interviewing, it is known as first-date syndrome.

In fact, even when we do not perceive a clear-cut value tag, we are so eager to assign a value that we create our own diagnostic labels. And we are so susceptible to these diagnostic sways that even a single, seemingly innocuous word has the power to change our opinions.

An experiment conducted at MIT in the Economics 70 class is a case in point. Randomly, half of the incoming students were given a bio sketch of a substitute professor with the phrase “People who know him consider him to be a very warm person, industrious, critical, practical and determined.” The other half were given the same bio with only one word changed. The second half’s bio read “cold” instead of “warm”.

At the end of the period, the students were asked to complete a questionnaire to rate the professor’s performance. Exactly half of the class rated him as “informal, social, popular, humorous and humane” while the other half rated him as “self-centered, formal, unsociable, unpopular, irritable, humorless and ruthless.” Yes, each half was completely influenced by that change of a single word and behaved precisely in accord with the distribution of the bios.

What does this have to do with cybersecurity? Everything.

We as a community of practitioners have created some interesting diagnoses for the conditions created by cybersecurity threats. One, some of us seem to believe fervently that by fixing the fundamentals – implementing a high-functioning SIEM/SOC system, installing a risk-centric approach to threat management, continually assessing and managing known vulnerabilities, applying patches when they are published and instituting regular information security and cybersecurity awareness training and education – we will reduce our risk of common cybersecurity attacks (like the ones that caused every major breach this year) by over 95%.

On the other hand, many of us believe fervently that the problem can only be fixed by applying advanced, futuristic technologies like AI and ML so we can “get ahead” of the threats and defend against advanced techniques and actors.

In fact, this population has so completely bought into the diagnosis of the problem, they clamor to attend the RSA Cybersecurity Conference, which regularly attracts over 50,000 of us InfoSec, CyberSec and IT professionals every year. This show is anchored by 15 keynote addresses, and 750 speakers, a slot so coveted that RSA receives over 10,000 submissions for those few opportunities. There are over 600 insight sessions where we can learn about the next shiny stuff and current threats, and we now have over 750 exhibitors demonstrating their products or services, all guaranteed to solve at least one if not all of our cybersecurity problems. The implication is that the answer is in there somewhere – we just have to keep digging.

One of the other diagnostic traps that many have fallen into is the premise that much of our problem is caused by the absence of available trained and expert cybersecurity human resources. This is interesting because 80% of the work involved in cybersecurity is the exact same work done today by our existing network engineers and data analysts. Cybersecurity data patterns are no more complicated or otherwise special than any other data patterns, yet we have burdened our hiring requirements with extreme qualifications that almost no one has, thus reinforcing the diagnosis that the skills shortage is what’s killing us.

A recent futurist in the space claims that in 2019, the security talent crunch will force a shift in priorities and practices. The increasing lack of highly skilled cyber talent, estimated at up to 1.8 million unfilled jobs worldwide by 2022, will force security analysts in 2019 to focus more on strategic analysis and automated processes implementation, to strengthen protective policies, and to invest more time educating and guiding the non-technology manager and executive ranks. And while none of that is bad, it doesn’t move the needle on prevention or detection. But because he says so, it will likely become the bias from which many of us will operate.

In fact, I believe the "skills shortage" has become the number one excuse companies use for failure to prevent and/or detect a security breach.

We are a long way from automating the routine diagnostic and detection tasks necessary to identify threats and defend our environments from attacks, yet we seem to be stuck in this chasm between insufficient human resources and AI. The answer is apparently far too simple to be easily accepted. If we just trained our existing network engineers and data analysts in cybersecurity fundamentals, we could solve a big chunk of the “skills shortage”, but this solution doesn’t fit well into our diagnostic biases.

Another labeling trap is that cloud computing and its intervening software layers is limiting visibility into security for cloud-based servers and virtualized end-points, setting the stage for major attacks on cloud environments that will be increasing in 2019. If that were true, why would we jump into cloud computing before the cloud is ready for us to jump? It is the equivalent of driving a car that is known to have its wheels fall off at high speeds without warning. Would you do that? If we can’t secure the cloud yet, let’s just hold off on those initiatives until the cloud providers can produce evidence the wheels won’t come off anymore.

This would of course mean that we will delay all of those productivity and cost benefits that cloud computing provides, but we will also be a lot more secure. Our other biases around our beliefs in future productivity gains and the ones we share with our Boards will likely prevent us from making that decision, however.

Our diagnostic biases around IoT are even more interesting. We continue to hear everyone say that Cyber-attacks impacting the Internet of Things will grow exponentially, exceeding all enterprises' ability to manage associated forensics and threat-hunting. And that more businesses employing more IOT devices will greatly expand the cyber-attack surface. We are told repeatedly that attack potency will also increase; many IoT devices don't contain end point security agents, yet often connect to network infrastructure.

We are warned that in 2019 this combined vulnerability will be used to cause damage inside businesses as well as to leak business and consumer data. And that all of these threats will bring a perfect storm of successful cyber-attacks in 2019. Yet, we have done nothing apparent to address the coming apocalypse. Our historic breach record attests to the fact that the technologies, processes, tools and cybersecurity experts we've been forever pointing at these problems continue to fall short in managing and mitigating the threats.

But we soldier on, blindly insisting that the problem will disappear if we just got the right technologies lined up in the right ways. This the definition of cognitive dissonance.

The Ponemon Institute's 2018 “Cost of a Data Breach” Study found the mean time to identify a breach in 2017 was 197 days. Over 6 months just to identify a single breach. Compared to last year, it represented a 6-day improvement (or 3%), yet we managed to spend over $114 billion globally in 2018 on information security products and services, (an increase of 12.4% from 2017), according Gartner. Now, diagnostic biases aside, I dare you to propose to your board that your new cybersecurity budget increase of 12.4% will reduce your company’s risk by only 3%.

The same study found that the mean time to contain a breach was 69 days. The only thing that is interesting about this statistic is that I have heard experts claim that this breach containment problem is attributable to attackers' use of advancing artificial intelligence and machine learning to increase the stealth of the attacks, accelerate the attack speeds, and improve their attack techniques (like file-less malware) all of which help evade detection.

There is an old saw that if you say something loud enough and long enough, it becomes truth in the Universe. We need not look further than Washington D.C. to validate that theory.

This diagnostic bias is just plain silly.

Breaches are due to a failure of attacked companies to secure their fundamentals, an absence of high-functioning SIEM/SOCs, the avoidance of a risk-centric approach to threat management and an abysmal failure to teach their employees how to identify a phishing attack.

The facts are indisputable. We know from the 2018 Verizon DBI report that ninety percent of data breaches seen by Verizon's data breach investigation teams have a phishing or social engineering component to them. Not coincidentally, one of the hottest commodities on underground and dark web marketplaces are credentials, which attackers can use to log into enterprises and make it appear that they're legitimate users. This hasn’t happened by accident, nor was it the result of some advanced AI technology.

Phishing attacks don’t require that threat actors use AI and ML. They simply require that employees remain in the dark about how to detect them. As long as we continue to believe that advanced AI and ML are what’s causing our breaches, we will likely not do the simple, inexpensive education and training necessary to defend against these phishing attacks.

Hoping that artificial intelligence and machine learning can provide instant insights and recommendations that will circumvent or minimize many attacks is folly. We know for instance that the Chinese were behind the recent cyberattack on the Marriott hotel chain that collected personal details of 500 million guests and was part of an intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans dating back to at least 2014.

With regard to AI and ML, the Chinese are so far ahead of America in terms of the application of these technologies in operational cybersecurity that it should concern many more people than appear to be worried about the problem. Any advancement in the development of our own AI as it might be applied to cybersecurity defense will be met with an equally advanced and over-powering AI-driven force launched by our adversaries.

Over the course of those 10 years between 1994 and 2003, all of the studies were aggregated, and all of the hard data was analyzed resulting in the medical community’s conclusion that all SSRI drugs were clinically ineffective on the children to whom they had been prescribed. Sugar pills and Prozac had roughly the same therapeutic effect on these patients, yet psychiatrists continue to diagnose and prescribe these drugs even today.

For all of us who have never figured out why we continue to spend obscene amounts of money on cyber-defense while the frequency and impact of breaches continues to rise, we can now find some comfort in understanding how our reliance on flawed diagnostic biases and cognitive dissonance influences our decisions and continues to suppress activity that will actually prevent the vast majority of cyberattacks and breaches from occurring.

What we decide to do about it will be interesting.