Action Bias and the Two Most Dangerous Words in Cybersecurity

Josiah Dykstra
Cybersecurity Collaboration Center
National Security Agency

Friday, October 8, 2021
remotely via WebEx:

Recording of Talk.


Most cybersecurity professionals acknowledge that achieving perfect security is impossible. Yet, they nobly strive for perfection as the ultimate goal and feel loss, failure, and regret when incidents inevitably occur. Human instinct, especially in reaction to crisis or catastrophe, is to react and respond forcefully and immediately.

In this presentation, we will talk about action bias and when immediate action is appropriate and when it is counterproductive. Behavioral science has demonstrated that action bias can lead to wasteful spending and suboptimal outcomes. We will describe how action bias impacts users, security professionals, and leaders. Users display action bias, such as demanding password resets and virus scans when they think they’ve been hacked, even when there is no evidence of it—a feature attackers exploit in phishing expeditions. CISOs and other security leaders exhibit action bias following a breach or attack when they act quickly based on a sense of urgency and a need for control, rather than applying deliberate analysis, even if the cost of proposed defenses outweighs the value or the loss. We present countermeasures to temper the occurrence and effects of action bias based on the findings of behavioral science.

While there is no cure for cognitive bias, tools such as “pre-flight” checklists and pre-mortems (as used in risk management) can mitigate the dangers of action bias. Using these tools, the cybersecurity community can evolve to address the two most dangerous words in cybersecurity—“never again”—uttered in desperation even when incidents reoccur. As a result, we can be rationally prepared to make unbiased decisions.

About the Speaker:

Josiah Dykstra is a Technical Fellow at NSA where he collaborates with industry on cybersecurity. In 2013, he earned his PhD in computer science from UMBC studying cloud forensics with Dr. Sherman.


Alan T. Sherman,

Upcoming CDL Meetings:

Oct 22, TBA

Nov 5, David Chaum and Bart Preneel, VoteXX

Nov 19, Michael Oehler, What the FLoC

Dec 3, TBA


Support for this event was provided in part by the National Science Foundation under SFS grant DGE-1753681.

The UMBC Cyber Defense Lab meets biweekly Fridays 12-1pm. All meetings are open to the public.