Survisorship Bias: How to become a more thoughtful and rational cybersecurity thinker!

It's natural to believe that you have full control over your thoughts and actions. However, it's worth contemplating how frequently they're influenced by an external force. A force that operates silently within the depths of your subconscious, beyond your conscious awareness.

I recently watched a YouTube video titled '21 Mind Traps: The Ultimate Guide to Your Most Common Thinking Errors (Part 2).' After watching it, I was inspired to write a blog post about one of the 21 mind traps that was illustrated in the video. The particular trap I want to explore is known as 'Survivorship Bias - Focus on the Winning.'"

Just for reference, I transcribed the video before exploring how cybersecurity professionals can become more thoughtful and rational in their thinking about cybersecurity, specifically by examining the concept of Survivorship Bias. In summary, being aware of Survivorship Bias is essential for cybersecurity professionals to draw meaningful insights and make informed decisions. By taking a comprehensive approach to data analysis, they can identify potential defensive gaps and take the necessary steps to protect their organizations from cyber threats.

Part 1: Transcription

During World War 2, Navy Research conducted a study on the damage done to aircraft by enemy fire that had returned from missions. They concluded that armor needed to be added to the areas with the most damage. At first, this seemed like the most reasonable course of action: "We need to place more armor where the planes are getting hit the most."

However, a mathematician by the name of Abraham Wald was quick to point out an error the researchers had made. They were researching data only from the planes that had survived their missions, and the bombers that had been shot down were not included at all. Wald proposed that they change their initial decision and do the opposite: armor the areas where the surviving planes had not been hit, as these were in fact the areas that were causing fatal damage to the other bomber planes that had not survived.

Survivorship Bias is a logical error where the data we are presented with is representative of only the subset of the population that has already survived some kind of filtering process. More simply, we tend to focus on those things that survived a process and overlook the ones that failed. People may say things like "They made much stronger and more beautiful buildings in this time and age," ignoring that this is one of the only buildings to have survived so long, and that 99% of the buildings of that time and age were probably flimsy and ugly but are now completely invisible to us. Here's another example: you move to a new town, and you see many successful restaurants in the area. You conclude that if all these restaurants are successful, you could very well do the same. What is invisible to you are all the restaurants that failed in the years prior.

When you only focus on the "winners," Survivorship Bias causes you to underestimate the challenge and overestimate your chances of success. Everywhere you look, there are successful actors and actresses. In reality, your chances are a fraction above zero of becoming successful. But no one is interested in all the failures, so the burial ground of all the failures is largely invisible to you. Society and media only focus on the winners. Try googling "Actors that never made it" or "people who failed in life after dropping out of college," and you won't have much luck finding anything useful.

For every rock star, there are thousands of people in the "cemetery of failure" who never made it. For every startup business, there are thousands of failed startups. Everyone should chase their dreams, but don't let Survivorship Bias trick you into thinking the challenge is easier than it seems. Be careful of your overly optimistic beliefs that are caused by invisible failures. Are you only focusing on the person or things that survived the process?

Part 2: How to become a more thoughtful and rational cybersecurity thinker!

In the world of cybersecurity, 'Survivorship Bias' can be especially dangerous, as it can lead to a false sense of security. Security vendors often tout the effectiveness of their products and technologies in protecting against cyber threats, but they rarely acknowledge the times when their technology has failed. This creates a skewed perception of the actual effectiveness of the technology, and can lead organizations to make poor decisions when it comes to selecting and implementing cybersecurity controls.

By only focusing on the successful attacks that their technology has prevented, cybersecurity vendors are essentially ignoring the lessons that could be learned from the attacks that have bypassed their controls. A report that acknowledges the failures of protective controls and documents how attackers were able to circumvent them in the past can be as valuable, if not more so, than a report that only emphasizes successful attacks that were blocked.

It is crucial for cybersecurity vendors to remain unbiased and transparent about the limitations and failures of their technology. Only by acknowledging and learning from these failures can we truly improve our cybersecurity posture and better protect against evolving threats. As the saying goes, "Those who cannot remember the past are condemned to repeat it." The same holds true in the world of cybersecurity - we must learn from our failures in order to prevent future attacks.

So how can you become a more thoughtful and rational cybersecurity thinker?

To become a more thoughtful and rational cybersecurity thinker, it is important to be aware of survivorship bias and its potential impact on our thinking. Here are some ways to avoid falling prey to survivorship bias:

1. Look for failure stories: Instead of only seeking out success stories and case studies, make an effort to seek out stories of cybersecurity failures and how they were overcome. This can provide a more complete picture of the challenges and potential pitfalls involved in cybersecurity.
2. Consider the whole picture: When evaluating the effectiveness of a particular cybersecurity technology or strategy, consider both the successes and failures. Look for patterns and trends to identify areas of improvement and potential weaknesses.
3. Practice critical thinking: Be skeptical of claims that seem too good to be true, and seek out evidence to support or refute them. Ask questions and challenge assumptions to avoid accepting ideas or solutions that may be flawed.
4. Embrace a learning mindset: Approach cybersecurity with a growth mindset, and be willing to learn from both successes and failures. Use failures as opportunities for improvement and learning, rather than as reasons for discouragement or blame.

By being mindful of survivorship bias and actively seeking out a more complete picture of cybersecurity, we can become more thoughtful and rational thinkers, better equipped to navigate the complex and ever-evolving world of cybersecurity.

At CyberStash, we specialize in conducting independent forensic-depth compromise assessments to detect cyber breaches. Despite the implementation of "advanced network and endpoint" security controls, we have found that adversaries often go undetected in business environments. This observation suggests that relying solely on the most advanced cybersecurity tools, people, and processes does not guarantee protection against cyber threats. Our experience with conducting compromise assessments over the years has taught us the importance of avoiding survivorship bias. This bias can occur when we focus only on successful “alerts” and ignore everything else. In the context of cybersecurity, survivorship bias can lead businesses to become complacent and assume that they are safe from cyber threats because they have invested in the latest and most sophisticated security controls.

Regular and independent compromise assessments are crucial in identifying and addressing breaches that may have gone unnoticed by existing security measures. This involves thoroughly examining every forensic artefact in the environment and positively validating whether it is "good" or "bad".

By taking this approach, businesses can avoid the trap of survivorship bias by focusing on identifying weaknesses and gaps in their security defenses, rather than relying solely on technology. It is important to recognize that cyber threats are constantly evolving, and no single security measure can provide complete protection against them.

Therefore, by conducting regular and independent compromise assessments, businesses can stay ahead of potential breaches and ensure that their security defenses remain effective in the face of new and emerging threats. Indeed, CyberStash's regular and independent compromise assessments can help businesses establish and maintain trust in their IT environment. By identifying and addressing potential breaches that may have gone unnoticed by existing security measures, CyberStash's approach provides a higher level of cyber assurance.

This not only helps businesses to avoid the negative consequences of a breach, but also helps to build trust with their customers and stakeholders. Customers are increasingly aware of the risks associated with cyber threats, and they want to know that the businesses they interact with are proactively taking the necessary steps to protect their data and privacy.

By demonstrating a commitment to cybersecurity through regular compromise assessments, businesses can instil confidence in their customers and stakeholders that they take the threat of cyber breaches seriously. This, in turn, can help to build and maintain trust in their IT environment, which is essential in today's digital landscape.

In conclusion, it is crucial for businesses to remain vigilant against evolving cyber threats and to avoid the pitfalls of survivorship bias. Regular and independent compromise assessments are an essential component of any comprehensive cybersecurity strategy, as they provide businesses with the necessary visibility to detect and respond to breaches before they cause serious business impact. By being aware of Survivorship Bias, cybersecurity professionals can take a more objective and comprehensive approach to data analysis. This involves considering both successful outcomes and failures and using this information to identify weaknesses and gaps in their security defenses.

Case Studies

If you would like to review case studies drawn from recent compromise assessments, I would recommend reaching out to CyberStash. Our team of cybersecurity experts can provide valuable insights as well as practical guidance on how to mitigate potential business impact.

Through our independent forensic-depth approach, CyberStash has helped numerous businesses to identify and address potential breaches that may have gone unnoticed by existing security measures. Our expertise in conducting regular and independent compromise assessments can provide valuable insights into the effectiveness of your current cybersecurity posture, and help you to identify potential areas for improvement.