💠 Optimism Bias

When looking to the future, we tend to overestimate the good stuff and underestimate the bad.

This is a draft chapter from my new book; Security Gems: Using Behavioural Economics to Improve Cybersecurity (working title).

Subscribe to read new chapters as I write them.

💠 In Sickness and In Health

Marriage. It’s a wonderful thing, isn’t it?

In the Western world, the numbers don’t agree. Divorce rates are about 40 percent.

That means that out of five married couples, two will end up in divorce. But when you ask newlyweds about their own likelihood of divorce, they estimate it at zero percent.

Good luck to them!

Optimism bias is sometimes used interchangeably with ‘overconfidence’, and refers to the phenomenon whereby individuals believe they are less likely than others to experience a negative event.

As humans we need some level of optimism, if we went in to marriage thinking it would end in divorce, marriage simply would not exists.

The optimism bias is an intriguing concept that comes with a host of benefits, such as shielding us from depression and ensuring we respond positively to failure.

Sadly, though, the optimism bias in cyber security leaves us overly-vulnerable to cyber attack.

💠 It’ll never happen to me

When I was growing up, there was a kid in my neighbourhood who loved climbing trees. I was always suspicious one of his parents was a monkey.

He’d shoot up them, without a second thought.

Once, thirty metres in the air, a branch broke beneath him. All of us standing below heard the crack. It sounded like lightning, followed by a heavy thud as it hit the ground

Luckily he managed to quickly reach out and grab a branch above, saving himself from a long fall.

Whilst the slip didn’t bring him back down to earth, it did bring him back to reality. It took him the rest of the day to climb back down. And weeks before we saw him up another tree.

The dangers of being overly optimistic or self-confident can often blind us to the very high likelihood of negative outcomes.

When there’s nothing to warn us of our impending doom we get even more reckless.

Drink and drug driving is a massive problem, and is in a large part a result of our unbounding optimism.

“I’ve only had a couple of beers”, offers no solace to the family whose love one has been killed as a result of impaired reaction times.

Nightclubs in Germany came up with a brilliant idea to reduce the problem of their patrons jumping into cars after a night on the tiles; piss screens.

Urinals allowed drivers to steer a car in a video games using their pee. Aim left to go left. Right to go right.

If you’re too slow or swerve too much, that is to pee on the blokes foot next to them, the car would crash. “Too pissed to drive”, the screen would read, along with the number of the local taxi firm.

Again, in life we need moments to peg us back to reality.

When people receive emails they don’t necessarily treat them with the suspicion they deserve.

Far too often, we’re optimistic about the outcome of clicking links, and end up clicking malicious links or opening malicious attachments.

Wether it’s drink driving, or clicking an email. Both can have catastrophic consequences.

Facebook do a great job of warning us about the result of our actions. Click an external link on your newsfeed and they’ll make you confirm the link shown is where you want to end up.

The aim here is to make the negative effects and losses of a certain action clear to the individual, and offer a clear, safer alternative.

Sadly Facebook don’t do this with uploading drunk photos yet.

💠 It’ll happen to them

Now, I’m not advocating we all become pessimists. World economies rely on optimism.

Entrepreneurs need optimism.

Do you ever find yourself in situations wondering “how hard could it be?”.

As an amateur home-chef, I have a particularly bad habit of asking this type of question when dining out. How hard could it be to create a menu? Cook the food? Leave the customers wanting more?

I make a great Pad Thai.

In my town one particular restaurant unit has changed hands five times in as many years. Italian. Indian. Thai. Greek. Italian, again.

It’s not unusual. In some cities, the chance of restaurant failure in the first year can be as high as 90%. That is, nine out of every ten restaurants opened will fail!

Nine in ten! Who would want to open a new restaurant?

Restaurateurs know the numbers, but despite the well-documented failure rates, they often don’t think they apply to them. They might argue their concept is different to the others, their restaurant is in a better part of town, or the cuisine is seeing new popularity.

But do they really have a better chance of success than others trying the same thing?

In the majority of cases, no.

The problem is we don’t know the reason behind the facts. We don’t know a lot about others, but know a lot about ourselves.

We’re optimistic about ourselves, we’re optimistic about our kids, we’re optimistic about our families, but we’re not so optimistic about the guy sitting next to us, and we’re pessimistic about the fate of our fellow citizens and the fate of our country.

This plagues those responsible for creating public health messaging.

One in two UK people will be diagnosed with cancer in their lifetime. But despite the odds most people don’t think they’ll get cancer [1].

38 percent of cancer cases are preventable in the UK. 15 percent of that can be attributed to stopping smoking.

Yet millions of people still smoke, pouring their hard earned money into the pursuit of lowering their health outcomes.

People explain it away. They go to the gym everyday. Other smokers don’t. They don’t drink, like other smokers.

Comparative optimism, where we can’t make a direct comparison, convinces us others are more likely to suffer negative experiences than we are ourselves.

Studies around peoples perceived privacy risks, like unauthorised access to accounts and sharing of personal information, is much more likely to happen to other people [2].

Almost half of all UK businesses suffered some form of cyber security breach in 2020 [3].

Yet companies don’t think it will happen to them.

It’s why we can ignore network security risks while at the same time reading about other companies that have been breached. It’s why we think we can get by where others failed.

Optimism induced invincibility needs to be accounted for, and removed. You are no better than your peers, mostly.

💠 Prevention is better than cure

Skiing. Windsurfing. Rock climbing. These are the kinds of things I love to do on holiday.

Health insurance companies don’t like me doing them. I know this because they charge me a hefty premium for coverage.

Previously I was guilty of questioning if travel insurance was worth the money.

Whilst speaking to the Swiss Mountain Rescue team one Winter, they told me just how much it cost to be evacuated via helicopter. About $100 per minute. And that’s from takeoff to landing.

Perceptions of actual risk can be clouded by optimism. I don’t go on holiday to break a leg, but the chance is pretty high.

It’s not just that we don’t think bad things can happen to us or are more likely to happen to someone else. We–all things being equal–believe that good outcomes are more probable than bad outcomes.

In one study, participants were given a list of 18 positive and 24 negative events, like getting a good job after graduation, developing a drinking problem, and so on [4].

Overall, they considered themselves 15% more likely than others to experience positive events, and 20% less likely than others to experience negative events.

People are more likely to accept risks if they feel they have some control over them.

Here we see the feeling of security diverging from the reality of security.

Controlling for this feeling is important.

We all know someone that has “seen it all”.

Experience often trumps decision making. It offers a sense of security.

But never let it cloud the actual risks, which should be assessed with an eye of experience, but also an eye of fatalism.

💠 Security Gems

You are not invincible.

  • Set a “base rate”:  Take an outside view, meaning we should look at base rates for our estimates as if we are looking at someone else’s chances.
  • Conduct a premortem: before making a decision predict how a project or strategy could fail and then work backward to prevent these issues.
  • Make impending negative events caused by over-optimism clear: Bringing negative events to our mind just before we’re likely to engage in an undesirable act can be a good behaviour change technique.
  • Use positive information motivate: Instead of telling people why they shouldn’t do something, convince them with the benefits of an alternative. Remember our optimism bias leads us to think we’re less likely to suffer negative outcomes compared to others.
  • Beware of feeling secure: Take a risk based approach to security. Best practises are good to follow, but make sure they address the critical issues.

[1] Cancer risk statistics
[2] Optimistic bias about online privacy risks
[3] Almost half of UK businesses suffered a cyber attack in past year
[4] Unrealistic Optimism about Future Life Events

Security Gems: Using Behavioural Economics to Improve Cybersecurity

This post is a draft chapter from my new book. Pardon the typos.

Subscribe to read new chapters as I write them.

Facebook Comments

Product Geek?

Join over 5,000 product geeks and get one email every Monday containing the best excerpts I've read over the previous week.

See some of what you're missing...