Hidden Threats: The Ostrich Effect and Survivorship Bias in Cybersecurity
Brian Fox, CTO and Co-founder of Sonatype, Inc., sheds light on a growing cybersecurity threat: malicious components intentionally injected into the software supply chain. These components are designed to cause immediate harm, posing a distinct danger from the well-known vulnerabilities found in open-source software like Log4shell.
The Ostriches of Cybersecurity:
The "ostrich effect" explains why organizations often ignore this new threat. It refers to the tendency to avoid unpleasant information, much like ostriches are believed to bury their heads in the sand to avoid danger. In cybersecurity, this translates to leaders ignoring data that reveals a significant rise in malicious component attacks. They dismiss it as an "edge case" not relevant to their organization and take no action.
Furthermore, organizations cling to their existing security tools, believing they offer sufficient protection. However, these tools are often unable to detect malicious components, which operate like "smash-and-grab" attacks without prior notice or traditional vulnerability disclosure.
The discomfort of exploring new, potentially complex risks leads to dangerous complacency. While it's achievable to assess how many malicious components have been consumed, many leaders choose to avoid this proactive approach, effectively burying their heads in the sand.
The Survivorship Bias:
Survivorship bias occurs when we focus solely on successful entities while ignoring those that fail, leading to skewed conclusions. The famous WWII example analyzes bullet holes on returning planes and suggests reinforcing the areas with the most holes. However, Abraham Wald recognized that planes sustaining damage in the untouched areas were the ones that were actually destroyed and thus not part of the data.
In cybersecurity, this bias causes organizations to focus on the vulnerabilities their existing tools identify, similar to examining bullet holes on returning planes. However, the unseen, malicious components are like the critical damage on downed aircraft, remaining undetected and unaddressed.
This creates a false sense of security, as organizations only see the problems that have not yet caused catastrophic failure. They believe they are well-protected because nothing bad has happened yet, ignoring the real threats hiding in plain sight.
The Combined Impact:
The ostrich effect and survivorship bias combine to create a significant gap in cybersecurity defenses, leading to:
Inadequate Threat Response: Organizations fail to address the full spectrum of threats, leaving them vulnerable to malicious components that could cause severe damage.
Reactive Approach: They wait until they are forced to confront a problem, often after a breach, instead of proactively seeking and addressing hidden threats.
Resource Misallocation: They focus resources on visible, less critical issues while ignoring the more dangerous, unseen threats, leading to inefficient use of time and money.
Moving Towards Effective Cybersecurity Practices:
To combat these biases, organizations need to adopt a more proactive and holistic approach to cybersecurity:
Continuous Learning: Regular education equips security teams with the knowledge to understand and address both vulnerabilities and malicious components. Staying updated on the latest threats and detection methods is crucial and should be embedded into the organizational culture.
Diverse Tools: While consolidation of the tech stack can be beneficial, it should not leave organizations exposed to threats. Integrating tools that detect malicious behaviors, such as anomaly detection and "repository firewalls," alongside traditional vulnerability scanners, is necessary.
Risk Assessments: Organizations must embrace risk assessments as critical components of their security strategy. They should proactively identify and address existing malicious components in their environment.
By understanding and overcoming these cognitive biases, security teams can avoid a false sense of security and adopt a more comprehensive and proactive approach. This is crucial for protecting organizations against both visible vulnerabilities and hidden, devastating malicious components, allowing them to thrive in the face of ever-evolving cyber threats.