Subscribe to the O'Reilly Security Podcast to examine the challenges and opportunities for security practitioners, with a focus on the people on the frontlines of security, working to build better defenses. Find us on Stitcher, iTunes, SoundCloud, RSS.

In this episode, I talk with Kelly Shortridge, detection product manager at BAE Systems Applied Intelligence. We talk about how common cognitive biases apply to security roles, how decision trees can help security practitioners overcome assumptions and build more dynamic defenses, and how combining security and UX could lead to a more secure future.

Here are some highlights:

Learn faster. Dig deeper. See farther.

How the win-or-lose mindset affects defenders’ decision-making

Prospect theory asserts that how we make decisions depends on whether we’re in the domain of gains mindset or the domain of losses mindset. An appropriate analogy is to compare how gamblers make decisions. When gamblers are in the hole, they’re a lot more likely to make risky decisions. They’re trying to recoup their losses and reason they can do that by making a big leap, even if it’s unlikely to succeed. In reality, it would be better if they either cut their losses or made smaller, safer bets. But gamblers often don’t see things that way because they’re operating in a domain of losses mindset, which is also true of many security defenders. Defenders, for the most part, manifest biases that make them willing to make riskier decisions. They’re more willing to implement solutions against a 1% likelihood of attack rather than implementing the basics—like two factor authentication, good server hygiene, and network segmentation. We see a lot more defenders buying those really niche tools because, in my view, they’re trying to get back to the status quo. They’re willing to spend millions on incident response, particularly if they’ve just experienced an acute loss, like a data breach. If they had spent those millions on basic controls, they likely wouldn’t have had that breach in the first place.

Planning dynamic defenses and overcoming assumptions with decision trees

Defenders frequently have static strategies. They aren’t necessarily thinking next steps in how attackers will respond if they implement two factor authentication, antivirus software, or whitelisting. Decision trees codify your thinking and encourage you to figure out how an attacker might respond to or try to work around your initial defenses, not just your first step. Different branches show how you think an attacker could move throughout your network to get to their end goal. By including your defensive strategies and the probability of success for each, you’re essentially documenting your assumptions about how likely your defensive tools are to work, and how likely attackers are to use certain moves. That means if you have a breach or incident, or if you get new data on attacker groups, you can start to refine your model. You can identify where your assumptions might have fallen through. It keeps you honest with tangible metrics, which is important in addressing cognitive biases. Knowing where you failed improves your defenses. It shows how your assumptions need to be tweaked.

Why security needs UX—and vice versa