Find Your Framework: Thinking Fast and Slow
Economist Daniel Kahneman's classic book has lessons for those in security, especially now.
In his groundbreaking book, Thinking Fast and Slow, Nobel Prize-winning economist Daniel Kahneman lays out the conflict in our minds between "the impulsive, automatic, intuitive, or System 1, and the thoughtful, deliberate, calculating System 2. As they play off against each other, their interactions determine how we think, make judgments, and act." This book summarizes years of his research into behavioral economics and demonstrates how these two thought systems can have the same inputs yet arrive at different results.
I've been thinking about this book as I talk to my colleagues in cybersecurity. Everyone is in a mad rush. The pressure is on to make changes. The new reality of having a completely remote workforce is putting immediate and acute strains on the current way of doing business. From access to endpoints, firewalls to services, enterprise operations weren't designed for this. At the same time, malicious actors are living down to their reputation and taking advantage. According to the FBI, attacks are already up.
What does "thinking fast and slow" mean in this context? For business leaders, it means that we need to be deliberate but decisive. We need to think about dependencies and implications before acting. Often, the best decision isn't the one that gets you to a destination the fastest but one that gets you there at a reasonable amount of time with a minimum amount of risk.
There are many lessons in Kahneman's book that security leaders can use to avoid enabling malicious actors at the same time as employees.
Framing: For Kahneman, framing is all about how you present information. In the book, the author conducts an experiment in which the subjects were asked whether they would opt for surgery if the "survival" rate is 90%, while others were told that the mortality rate is 10%. Same situation, but vastly different results because of the presentation. How a security leader sets goals; quantifies results, objectives, and expectations; and presents his or her options and recommendations is the first measure of success. This is especially important at a time of massive change, when board interest is at its apex and broad organizational support is required.
Sunk costs: According to Kahneman, people tend to "throw good money after bad" in part to avoid feelings of regret. In business, this results in investing in bad projects solely because they've already been invested in. Is it more emotional, a fear of regret, or fear of being exposed to their colleagues for failure, for needing to take a new approach? Are these decisions being made, or not made, for the right reasons?
Overconfidence: If something is familiar to us, we tend to have undue confidence in what the mind believes it knows. The lesson for security leaders is that doing things as they've always been done, just bigger or faster, isn't always the best answer.
Choices: We tend to address problems in isolation. Kahneman's research shows that "when other reference points are considered, the choice of that reference point (called a frame) has a disproportionate impact on the outcome." What does that mean for the security choices we are making or not making? These decisions have so many dependencies and implications that making decisions about perimeter security, or access solutions, or firewall policy in isolation can have far-reaching negative consequences.
We all feel the pressure to act, to be an agent of change, and come through for the organization during this incredibly difficult time. Kahneman, a behavioral economist, would tell us to take emotion out of our decision-making. Easier said than done — that's why it takes work! Despite having nothing to do with our day jobs, Thinking Fast and Slow can provide a framework for better decision-making and, when we need it most, protect us from our own worst impulses.
I'd be interested to hear if there are any books that you've found yourselves thinking about in recent weeks. If so, let me know what it was and why in the comments. Thanks for reading.
Related Content:
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024