Cybersecurity’s Silent Blindspot: Unmasking the Impact of Survivor Bias

 

During a recent partner event in Malaysia, I had the privilege of listening to Mr. Anil Yadav, Head of Industry Next at AWS, as he eloquently discussed the concept of “survivor bias” and its implications on fostering an innovation mindset. I couldn’t help but draw parallels between this cognitive bias and the challenges we face in the cybersecurity domain. Let’s delve into how survivor bias can be a silent adversary in the cybersecurity landscape and the strategies to navigate around it.

What is Survivor Bias?

Survivor bias, or survivorship bias, is a logical error that arises when we concentrate solely on the entities or subjects that “survived” a particular process, inadvertently overlooking those that did not. This skewed perspective can lead to false conclusions, as we’re essentially analyzing only a subset of the data.

Drawing from a classic example, if we were to assess the durability of World War II planes based solely on the ones that returned from missions, we might conclude that areas with the least bullet holes are the most durable. In reality, planes that were shot in those areas never made it back, emphasizing the importance of reinforcing the areas with the most bullet holes.

Survivor Bias in Cybersecurity

In the realm of cybersecurity, survivor bias can manifest in various subtle yet impactful ways:

1. Overlooking Past Threats: Organizations might focus on the threats they’ve successfully mitigated, neglecting the ones that have previously breached their defenses. This can lead to a false sense of security and an underestimation of certain vulnerabilities.
2. Ignoring Silent Failures: A system’s silence isn’t necessarily indicative of its security. Survivor bias can lead organizations to prioritize systems that frequently report issues over those that remain silent, potentially missing stealthy and sophisticated attacks.
3. Misjudging Threat Intelligence: Solely focusing on the threats detected and repelled can blindside organizations to emerging threats or the severity of undetected threats.

Overcoming Survivor Bias in Cybersecurity

1. Holistic Data Analysis: Ensure a comprehensive analysis of data from both successful and unsuccessful security events. This includes studying breaches, successful attacks, and near-misses.
2. Red Team Exercises: Regularly employ red teams (ethical hackers) to test defenses. Their outsider’s perspective can uncover vulnerabilities that internal teams, due to familiarity or bias, might overlook.
3. Continuous Learning: Cultivate a culture of continuous learning. When a security incident occurs, delve deeper to understand its root cause and why it was overlooked.
4. Diverse Threat Intelligence Sources: Diversify your sources of threat intelligence. Sole reliance on a single source or only on internal data can reinforce survivor bias.
5. Feedback Loops: Establish feedback loops with all departments. Often, non-technical staff might observe anomalies that technical teams miss. Encouraging open communication can aid in early detection and mitigation.
6. Scenario Planning: Engage in “what if” scenario planning regularly. This can help teams prepare for a broader range of threats, including those they might not have previously considered.

In my two decades in the IT industry, I’ve observed that while survivor bias is a subtle and often overlooked cognitive bias, its implications in the cybersecurity domain can be profound. Recognizing its presence and actively working to counteract its effects can pave the way for a more robust and innovative cybersecurity posture.