It’s no secret that protecting corporate networks by implementing security best practices and policies is critically important to protecting (and guiding) users. It can take days, weeks and even months to set up the proper security solutions to help meet those goals. And even after all that, some organizations still experience breaches from silly mistakes made by users. But not all the blame falls on the user base. Security professionals are often missing an important element of security — mitigating normalcy bias.
Normalcy bias is a cognitive bias that leads people to disbelieve or minimize threat warnings. Consequently, individuals underestimate the likelihood of a disaster that might affect them. This is extremely applicable when thinking about cybersecurity and users. How do cybersecurity professionals balance a user base that includes those that prepare for the worst-case scenario (also known as preppers) and those that don’t (non-preppers)? Preppers often overestimate the likelihood of an apocalyptic event and suffer from worst-case thinking bias, but non-preppers easily dismiss the need to prepare for an event. When applied to cyber threats and the need to secure an organization from a breach (or other threats like phishing, etc.), normalcy bias can have a heavy impact on the execution of employee best practices.