Marking your own homework: the Challenge of Optimism Bias with Internal Assessments

As cyber threats evolve and grow in complexity, so must our defence strategies. One critical tool in our cybersecurity arsenal is conducting regular cyber assessments, which can provide management or the board valuable visibility into their cyber posture. However, an often-overlooked challenge when carrying out internal assessments is the influence of optimism bias. This psychological tendency compels individuals to believe they are less likely to experience adverse events than others.

“marking your own homework” is not a great policy, and highlighted by a recent report from the Australian National Audit Office (ANAO) and Auditor General identified issues with Federal Government agencies’ internal cyber assessment and optimism bias.

Mr Julian Hill, MP Chair of the Joint Committee of Public Accounts and Audit, stated, “The Auditor-General has identified a persistent optimism bias in how agencies self-report their cyber security compliance.” adding, “Agencies should not be able to disguise the true situation from the Government in relation to public sector cyber security vulnerabilities.”

While the Auditor General’s report specifically addresses Federal Government agencies, Secure State see this same issue with many private organisations and state-based government agencies.

Risk assessments often underestimate the likelihood and impact of threats while overstating the mitigation strategies employed. Many organisations do not possess the appropriate skill set or experience to conduct cyber risk assessments without the assistance of 3^rd party independent expertise.

An Objective Eye

An independent cyber assessment is an intensive and thorough examination of an organisation’s cybersecurity structure conducted by external, impartial professionals.

The crux of an independent assessment’s value lies in its objectivity. Being performed by third-party experts, these assessments provide a clear, unbiased evaluation of an organisation’s cybersecurity, a perspective that might be missed by an internal team. Independent cyber assessments bring a wealth of knowledge, niche expertise, and a familiarity with best practices that could otherwise be inaccessible to an organisation.

Another substantial benefit is the proactive approach these assessments facilitate. By identifying vulnerabilities before they become the targets of a cyber-attack, organisations can prevent financial and reputational damages that would follow a breach. Independent assessments allow organisations to be a step ahead in the ever-changing cybersecurity landscape.

Rose-Coloured Glasses

In cybersecurity, optimism bias can result in organisations underestimating their vulnerability to a cyber-attack. The “It won’t happen to us” mentality can lead to less than adequate investment in robust security measures and even ignoring identified weaknesses, ultimately putting the organisation at significant risk.

Addressing optimism bias involves an organisation-wide commitment to acknowledging the reality of cyber threats. Regular, transparent communication about potential risks, their implications, and the importance of cybersecurity best practices can play a role in mitigating this bias. Additionally, it is crucial to leverage data to drive decision-making. Concrete, factual data about the frequency and impact of cyber-attacks can serve as a valuable reality check, effectively combating unfounded optimism.

Bridging Independent Assessments and Realism

Organisations need to acknowledge potential risks and employ proactive measures, like independent cyber assessments, to create a robust and effective cybersecurity strategy. However , organisations must also confront and mitigate the optimism bias prevalent in internal assessments to fully benefit from these measures.

Secure State Consultants amalgamate independent cyber assessments, and a realistic understanding of cyber threats to help build a potent strategy for any organisation aiming to enhance its cyber resilience. We deliver impartial, expert advice and maintain a grounded perception of cyber threats, while providing industry best practice mitigation and sustainment services.