Hackers and Information Cascades
Cyber security has always been a complicated topic in society. Everyone understands the importance of being secure and the danger of being hacked or having one’s identity stolen, but how do hackers actually get our information? With recent news of the Equifax data breach, Uber’s data breach, and many more company failures, this brings up the question: why does this keep happening? Surely with the amount of money these tech giants have, they should be able to defend off cyber threats.
One of the main reasons is bias. According to a famous study conducted at Stanford University, people tend to overestimate their own abilities, which is known as illusory superiority bias. In the study, 87% of MDA students ranked themselves above the median and 93% of them ranked their driving skills above the median population. This idea of illusory superiority bias does not only apply to basic intellectual abilities, but it also translates to cyber security. A study conducted by Friedrich-Alexander University in Germany showcased another example of illusory superiority bias. According to this study, 78% of participants claimed they understood the dangers of clicking on unknown links, but, 45% of these same participants actually clicked on a malicious link when sent a fake phishing email. Along with illusory superiority bias, cyber security sectors also fall victim to normalcy bias, which occurs when people assume a disaster will never happen, because it has not happened to them yet. These two biases are the primary reasons for the cyber security failures so often seen in the news today. Those in charge of cyber security believe that their security measures are apt enough to stop attacks and believe an attack will likely never happen due to its natural infrequency. According to this article, these biases tend to spread throughout the cyber security divisions within companies due to the idea of information cascades. New and current cyber security workers who normally have good security practices can be tainted by more seasoned workers who suffer from these biases and poor practices. Inexperienced workers view their seniors’ practices and slowly develop the same bad habits that eventually lead to poor company security.
As we have learned in class, information cascades occur when people imitate each other because they are trying to take into account what the other people know, despite having their own private information. Like in this cyber security example, the information cascade, involving poor security practice, occurs very easily and with very little genuine merit, which leads to whole security divisions adopting these “wrong” practices, which end up endangering the company. Although, independently, each worker has the intelligence and mindset to work with good practices, the observation of others causes the group of them to follow an observed poor path.
Overall, this article demonstrates how information cascades affect real life scenarios and are dangerously common. Although we covered a simplified urn example in class, the urn can be exchanged for, in this example, for good cyber security practices that tend to corrupt easily due to these information cascades and viewing other workers’ poor habits.
http://www.huffingtonpost.co.uk/entry/the-psychology-of-cyber-security-how-hackers-exploit-human-bias_uk_5a159c0ce4b0815d3ce65bbd