Normalcy Bias

In cybersecurity I deal with a lot of human attitudes and emotions. It is part of the job. It is why I get paid to help executives bring about a safe and successful cybersecurity posture to protect themselves and their company and customers. One of these strange occurrences that happen to people is something called the normalcy bias.

Have you ever been in a situation where there is an impending disaster and people around you did not take it seriously? Have you ever been in a building during a fire event and the alarm is going off blaring into your ears? What do most of the people do? They kind of sit around and look at each other not quite believing that there is impending doom. This is part of human nature.

Why This Happens

This happens quite frequently. When there is a major hurricane coming to a part of the US. People either do not move out of its way or even worse they have hurricane parties, wanting to stay put and “ride it out.” Surfers go to the beach to get the really good waves from the hurricane. During the eruption of Mt. Vesuvius in ancient Pompeii, there were many hours to get out of the way but people just stayed. Letting the eventual tidal wave of ash and lava consume them after it was too late to run.

People simply do not take disaster seriously. This is a psychological phenomenon called Normalcy Bias. It is the belief that things are not going to be that bad. An unacceptance of impending doom. It is said that 70% of people are affected by normalcy bias.

Normalcy Bias and Cybersecurity

There may be no area of disaster where normalcy bias is on better display than cybersecurity events. There is an implicit belief that “it can’t happen to me.” When the reality is not that it can happen to you it will happen to you and there is also a good chance that it already happened, and you do not know about it yet. Look at this article about this very issue, (FBI statement).

So, when the rest of the world is going about their business and letting disaster strike them. You can and should be prepared with a policy set that gives you the preparation for dealing with disaster before it strikes. And one of the most important components of that preparation is an actual security posture that says, “this is what a cybersecurity event looks like, and this is what my response should be.” Because the last thing you need it is to try to decide in the heat of the moment what is and isn’t a disaster to be worrying about.

This last issue is an important one and often overlooked by all parties involved including cybersecurity professionals themselves. The need to have the issues hashed out is critical to a good response and a failed response. Get prepared and start designing these elements to your cybersecurity posture today.

Leave a Reply

Your email address will not be published.