Scientists at the University of Leeds recently published a report on risk perception ("Workplace autopilot threatens security risk perception"). Based upon a (relatively small) sample, researchers concluded that we as human beings are programmed in such a way that ignoring certain types of risks becomes a question of habit. It is a well-known fact that human beings overestimate certain types of risks and underestimate others. This is a valuable lesson to all awareness programs - we need to factor these "blind spots" in. But it is certainly also true that this doesn't apply just to non-experts (users and management come to mind) - it's true for us as security professionals, and we need to be very aware of this fact. One specific perception trap that we can fall into is known as illusion of control. Being intimately familiar with any type of IT Risk and knowing its true causes and effects can make us over-confident, comparable to an experienced car driver who may falsely believe he can live with less of a safety margin. Our mind seems to work on simplification, and may falsely disregard vital cues. Social behaviors and norms (also known as "peer and management pressure") can create preferences and preconceptions. Being over-confident can make us take on risks that are too big. Let us then take the time and examine our own blind spots. And I'll save all my puns on "log analysis" for another day. PS. By the way, "it happened to me" makes for nice awareness material.
↧