White Box Cybersecurity, Because You Have Cognitive Biases

To be able to make decisions is to have cognitive biases. Even artificial intelligence (AI) platforms have biases. 

Biases are the price systems pay for making quick decisions without spending time and effort on decision-making.

Let's start with basics. From a statistical modeling perspective, bias occurs when the degree of mathematical modeling, typically a regression line, does not work as well with one set of data as with another. The result is increased error. In business terms, you probably would not build a marketing campaign for a product that appeals equally well to women and men, or to the "have and have-yachts." You would get good results in the intended target group and no results (i.e. you wasted money) in the non-target group.

Same thing in AI. It is a fact that your AI model is trained in one sample, and when it is transported to other samples it will not perform as well. The less-effective result is due to statistical bias. (Remember, AI is math.)

Let's get back to humans. Two types of biases affect decision-making among leaders. 

First we have plain ol' overconfidence. This is the over-estimation of one's capacity relative to one's actual capacity. For a leader, this usually plays out along the lines of: I've led this type of process or organization before, I can do it again even better! Or as investment guru Peter Lynch put it: “Invest in businesses any idiot could run because someday one will.”

Second, we have the "Dunning-Krueger effect." As our friend Barry Conchie puts it: "With cybersecurity most execs don’t know what they don’t know, yet project much more knowledge and awareness than they have." 

Both technical leaders and non-tech leaders can have biases. Do a thought experiment. What if both the CIO & the CEO are overconfident? You could see that playing out as being under-prepared for black box AI threats, or threats from poorly paid associates taking bribes while providing cyber-related info (hello Coinbase!) and the system doesn't catch that, or believing that annual spam email training solves cybersecurity issues.

What if both the CIO & the CEO are deluded in alignment with the Dunning-Krueger effect? CEO won't bother to clarify what their cybersecurity plan does or why it costs so much, and the CIO believes that this cybersecurity process is consistent with what the board & C-suite want.

Isn't this mis-alignment and mis-spending worth checking out?

Ask us how Pythia Cyber can help you create better calibration without bias in your leadership cybersecurity decision-making process. Make sure you have unbiased knowledge about white box cybersecurity.

Image design: John Manoogian III categories and descriptions: Buster Bensonimplementation: TilmannR - This file was derived from: The Cognitive Bias Codex - 180+ biases, designed by John Manoogian III (jm3).png:, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=69756809