Illusion of Invulnerability

Christopher Eaton | November 22nd, 2024

One aspect of the human condition, which some researchers claim is an innate function of our brains, is the ‘neurophysiological [concept] of optimism bias’ also termed ‘the illusion of invulnerability.’ What this means is that most people overestimate the possibility their experiences will be positive and underestimate potential suffering or calamity (1). While favoring optimism typically leads to a healthier, lower stress life than constant pessimism, associated bias has the potential to cause people to wait until something bad happens to prepare for that bad thing (2). If the expectation is that all will be well, considerations for things that may not be so well tend to slip through the cracks.

When this phenomenon is considered in the realm of security—both physical and cyber—the significance of associated challenges bubbles to the surface.

For example, ConsumerAffairs reported that only 28% of U.S. homes with internet access also “pay for a security service, and 10% have a DIY security system” which may include flood lights, motion sensors, or a guard dog (3). A primary reason homeowners decide to ultimately purchase a system is future security after their property is broken into or something nefarious happens in the neighborhood.

What’s surprising about the nature of ‘after-the-fact’ home security conversions is it seems to ignore a few facts: 1) criminals are malicious, opportunistic, and tend to target unprotected homes 2) the people and things most valued live or are stored inside the house 3) it’s not a matter of if it happens, but when.

Even convicted burglars echo these sentiments. Research from the University of North Carolina at Charlotte that surveyed over 400 lawbreakers found that only 13% “would always continue with the burglary attempt” upon discovering or suspecting the presence of a security system (4). This does not necessarily mean the other 87% would not complete a robbery, just that they would move to a less protected target. Perhaps one that is primarily guarded by optimism.

Beyond this, why do some homeowners decide not to buy a home security system at all? According to research from Cove, a provider of such systems, there are four main reasons, with respondents sometimes indicating more than one: “Too expensive” (51%), “Crime isn’t a problem where I live” (31%), “I own a dog” (26%), and “I don’t want to be locked into a contract” (5).

To someone without optimism bias, none of these reasons would trump the truth of there being no price too high to pay for the safety of family and loved ones, the acknowledgment that dangers are ubiquitous and nowhere is entirely safe, dogs can be outsmarted, and simple locks are easily unlocked or broken. Locks and dogs and motion-sensitive lights are great to have as a component of security, but the fact of the matter is they are simply not enough to provide optimal protection.

And if you are not home to add further deterrence, the system is only as powerful as the response behind it, whether a loud alarm that notifies neighbors or a direct line to the local police. If a human being is not around to respond, the efficacy of the tool significantly diminishes.

This same basic story is true of one’s place of business and cyber threats. A lot of business owners and employees doubt they will be the next victim of a cyberattack. After all, they think, we are just one of 33 million U.S. businesses—no threat actor will find us (6).

Well…

Say that to the countless businesses affected by malicious activity, including ransomware. Or the tens of millions of individuals whose personal data was stolen and leaked last year following a data breach.

The Cybersecurity Defense Landscape

There are various tools available that can detect and respond to a host of known threats and innumerable assessments to measure an organization’s current level of cyber risk. Reasons for not investing in cybersecurity—it is an investment, not just an expenditure—resemble those for not installing home security: it is too expensive, the return on investment (ROI) is not easily measured, our current practices are good enough, it is too complex (7). The priorities of businesses, particularly small and medium-sized businesses, it turns out are on procuring financial and productivity software above developing a security program (8). While this is understandable for tight budgets, the risk of foregoing an optimized security posture cannot be overstated.

Optimism bias and the illusion of invulnerability appear to be playing at least some role in explaining why cybersecurity is lacking in certain environments. IT firm Spiceworks notes that “81% of businesses are not fully confident in their technology stack’s ability to support the needs of hybrid and remote employees” which includes cyber defenses (9). If organizational leaders do not believe in the efficacy of their current equipment and fail to remedy that gap with enhanced investments, it is likely their lack of confidence will be validated.

Fortunately, there are cybersecurity solutions available to help businesses with any budget and at their current stage of their journey toward cyber maturity. For businesses seeking to assess their cyber strength and remediate any discovered weaknesses, they may want to deploy a low-intensity cybersecurity health check; to strengthen the highest leverage and often-cited weakest link in cybersecurity—the non-malicious, individual employee—managed security awareness training might be the best option; for organizations that do not want to take any chances and desire all of their endpoints and email tenants to be monitored by an experienced team on a 24/7/365 basis who also has the ability to remediate threats in real time, the option for a Security Operations Center as a Service is available.

A door provides meaningful security. A door with a deadbolt is better. A locked door flanked by a Ring security system with a loud alarm, backed by a loyal dog, and supported by a team actively monitoring for property breaches who can immediately engage law enforcement to respond quickly is even better.

Do not rely on crossed fingers. Instead, engage with a cybersecurity company like SpearTip that can offer meaningful solutions to your cyber gaps so you can focus all your valid optimism on growing your business.

  1. Dricu, Mihai, et al. “Chapter 3 – The neurophysiological basis of optimism bias.” Cognitive Biases in Health and Psychiatric Disorders, Academic Press, 2020, Pages 41-70, https://doi.org/10.1016/B978-0-12-816660-4.00003-9.
  2. Prater J, Kirytopoulos K, Ma T. Optimism bias within the project management context: a systematic quantitative literature review. Int J Manag Proj Bus. 2017;10(2): 370-385. doi:10.1108/IJMPB-07-2016-006
  3. Brumberg, Robby, and Nyahne Bergeron. Home Security Statistics 2024 | ConsumerAffairs®. 20 Mar. 2024, https://www.consumeraffairs.com/homeowners/home-security-statistics.html.
  4. University of North Carolina at Charlotte. “Through the eyes of a burglar: Study provides insights on habits and motivations, importance of security.” ScienceDaily. ScienceDaily, 16 May 2013. <sciencedaily.com/releases/2013/05/130516160916.htm>.
  5. The Security Gap: Why Don’t People Have a Home Security System? 18 Jan. 2024, https://www.covesmart.com/resources/diy-home-security/the-security-gap-why-don-t-people-have-a-home-security-system/#:~:text=Top%20Reasons%20People%20Don’t%20Own%20a%20Security%20System&text=Here%20are%20the%20top%20four,my%20dog%20to%20deter%20burglars.
  6. S. Small Business Administration. “Frequently Asked Questions About Small Business, 2023.” Office of Advocacy, 7 Mar. 2023, https://advocacy.sba.gov/2023/03/07/frequently-asked-questions-about-small-business-2023/.
  7. Lake Ridge. “4 Reasons Small Business Doesn’t Invest in Cybersecurity.” Lake Ridge, https://lakeridge.io/4-reasons-companies-dont-invest-in-cybersecurity.
  8. Turner, Jack. “Less Than Half of Large US Businesses Investing in Cybersecurity Despite Major Concern.” Co, 18 Aug. 2022, https://tech.co/news/businesses-fail-cybersecurity.
  9. “Everything IT – Community, Insights, Research and Tools – Spiceworks.” Spiceworks Inc, https://www.spiceworks.com/.

Categories

Connect With Us

Featured Articles

EDR Silencers
Responding to the Exigent Emergence of EDR Silencers
06 December 2024
Illusion of Invulnerability
How the Illusion of Invulnerability Can Elevate Business Risk
22 November 2024
Critical Role of Annual Assessments
The Critical Role of Annual Assessments for Preventative Cyber Care
11 November 2024
Cybersecurity Measures
Enhancing Cybersecurity Measures for Business Continuity
29 October 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

inside the soc

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
shadowspear platform

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
shadowspear demo

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.