In the previous article we looked at 7 biases from the list below.

1. Dunning-Kruger effect
2. Conservatism bias and Anchoring
3. Reactance
4. Confirmation bias and its effects
5. Belief bias
6. Availability cascade and Bandwagon effect
7. Status quo bias
8. Logical fallacy
9. Framing effect
10. Survivorship bias
11. Law of triviality
12. Effort justification
13. Pessimism/optimism effect
14. Egocentric bias

Now we will continue with the remaining 7:

Logical fallacy

Logical fallacies often manifest themselves as misinterpretations of the probabilities of events or misunderstandings of the logical connections between events. In these cases, faulty reasoning leads to incorrect conclusions.

Negative impact:

If you have never been the victim of a cyber-attack or had your information leaked online, you may mistakenly believe that hackers are not interested in you specifically and that you will not be the target of a cyber attack in the future. However, it is important to remember that mass cyber attacks are usually not selective and it is simply a coincidence that you have not been one of the victims.

How to mitigate this bias:

First, when it comes to cybersecurity, it's always worth remembering that no matter what precautions you take, they're probably not enough and won't protect you 100% against all cyberattacks. But that's no reason to ignore cybersecurity practices, as they significantly reduce risk.

If you haven't taken steps to protect your data and accounts because nothing bad has happened to you, now is the time to take those first steps. If you've already done something about your cybersecurity, don't get complacent and think you're safe - think about how you can improve your protection.

Framing effect

The framing effect is created by the way information is presented. Depending on how the same information is presented to us, we can draw completely different conclusions.

Negative impact:

Let's say you've come up with a long and strong password: when you enter it, all the necessary parameters are checked in green and the strength bar is fully green. This is commendable. But let's say you reuse it for many of your accounts. Even if the password is strong, if it is leaked from one website and an attacker uses a credential stuffing attack on other websites, you will lose access to many of the accounts where you have reused the password.

Or another example. When multi-factor authentication is presented as "an extra layer of protection" or "without MFA, your accounts are at high risk". Which of these motivates you to enable it?

How to mitigate this bias:

As with other biases, awareness and critical thinking will help. Do research, look at issues from different angles, discuss with experts.

Survivorship bias

Survivorship bias occurs when information about cases that survive is generally available, while information about cases with a tragic outcome is either unavailable or incomplete.

Negative impact:

How often do you see news about companies that have been cyber-attacked and gone bankrupt? More often than not, we see news about large, strong companies that have the strength to survive a cyber attack and are able to restore their operations. However, the percentage of small businesses that close within six months of a cyber attack is 60%.

How to mitigate this bias:

Remember that it is usually the most high-profile cases that appear in the mass media. Many incidents either go unnoticed or are simply swept under the carpet.

If you are planning to open a business, it is worthwhile to involve an IT and cybersecurity specialist at the planning stage to correctly build the architecture of the applications that you will use. This will significantly reduce risks. If you have already opened your business, it would not be superfluous to undergo an audit or consult with IT professionals. There are many IT consultants on the market specialising in SMBs, including our company.

Law of triviality

This law (also known as Bikeshedding) states that people tend to focus on small, simple issues while ignoring more important, complex problems. It is typically applied to organisations, but can also be applied to group decisions. In cybersecurity, this can lead to poor decision making and misplaced priorities.

Negative impact:

For example, a company spends weeks debating whether their password policy should require 12 or 14 characters, while many employees don’t use Multi-Factor Authentication (MFA) at all. Or a company spends months comparing cybersecurity tools, but doesn't train employees to spot phishing attacks.

How to mitigate this bias:

The best approach would be to prioritise high-impact security measures (MFA, password managers, security training) rather than small, low-impact debates. It would not be superfluous to audit the company's cybersecurity system, identify weaknesses and risks, and assess the potential damage should the risks materialise. Then cybersecurity planning will be rational and effective.

Effort justification

This bias is a preconceived (overestimated) evaluation of something we put our effort into. You may have heard of the IKEA effect, where customers value furniture they have assembled themselves more highly.

Negative impact:

For example, your current password manager lacks some features. But this bias leads you to keep using it because you have already set it up and filled in the data, and switching to a new password manager seems like too much trouble. Or worse, you keep your login information in a paper notebook that you have spent time and effort filling out, so you refuse to get a password manager app.

In a corporate environment, this bias can have a negative impact on upgrading the IT system or moving to new, more efficient and reliable software.

How to mitigate this bias:

The first thing you should try is to change your rating of the new item you want to switch to from the one you are currently using. User reviews can help with this.

When your evaluation of the new item has grown to the point where the idea of switching is no longer repulsive, try to analyse what benefits you will gain from using the new item, how much its features will simplify your life compared to the pains the old item causes. After such a visualisation, it will be easier for you to switch to the new object.

In a corporate environment, the features of the new software are carefully assessed against those of the current software, and the implementation costs and return on investment are also estimated.

Pessimism/optimism effect

The pessimism bias is to overestimate negative consequences and underestimate positive ones. Optimism, on the other hand, leads us to underestimate negative consequences and overestimate positive ones.

Negative impact:

Surprisingly, both can lead to the same biased conclusion: I do not do anything to protect my data because I am sure that a cyber attack is an unlikely event that will pass me by OR I do not do anything to protect my data because sooner or later a cyber attack will happen and there is no way to protect myself from it.

How to mitigate this bias:

Bad news: To prevent these biases from influencing your behaviour and paralysing your endeavours, you need to try to play the role of a realist.

This can be done by finding a reference that fits your case. For example, a review of how someone switched from the same item you are currently using to a new item you are considering using. There are many catalogue sites where you can compare the options of different products, including software. Try to compare the alternatives objectively.

To get a more complete picture, if you are an optimist, try to think through the negatives, and if you are a pessimist, do not forget to look at the positives.

Egocentric bias

The egocentric bias makes us believe that our own judgement is more objective and that we're less prone to bias than others. This bias also leads to many misunderstandings when communicating and interacting with other people.

Negative impact:

You may have noticed that many cybersecurity recommendations seem excessive or even unnecessary. It is also possible that something is indeed a bit extreme. But how would you know that these recommendations are useless unless you are a cybersecurity expert with a lot of experience?

Cybersecurity recommendations and best practices are not designed to make your life more difficult, but to make your data as safe as possible in the risky online environment.

How to mitigate this bias:

Self-awareness is a must! It is also necessary to distance yourself a little from your beliefs and look at them from the outside, along with alternative points of view. Give yourself more time to think when it comes to decisions. It is not for nothing that they say: The night brings counsels.

Overcoming cognitive biases is a big and difficult task, regardless of the area in which they manifest themselves. But the effort to work on yourself really does pay off.

We try to promote cybersecurity as something useful and accessible to everyone. Sometimes following the rules of cybersecurity and password management may seem tedious, but we 100% support and encourage you on this journey. Keep up the good work!