In a famous ongoing experiment, subjects are asked to watch a short video featuring three people in white t-shirts and three people in black t-shirts passing basketballs. Subjects are asked to silently count the number of passes made by the people in white shirts. The six players move around, change positions, fake tosses and otherwise make it difficult to track the pass count.
During the video, a woman dressed in a gorilla suit walks among the players, turns to the camera, thumps her chest, and walks out of the picture. Half of the viewers concentrate so fully on counting the passes that they never see the gorilla. (I missed it too.) When you watch the video without fixating on the passes, it is shocking to realize that you could have possibly missed the great ape. (The experiment is online here.)
According to Daniel Kahneman in his 2011 bestseller Thinking, Fast and Slow, the study reveals two important things: “We can be blind to the obvious, and we are also blind to our blindness.”
That’s a particularly bad place to be as a security professional.
Yet we often get stuck in ruts and enslaved by our own biases. We may unconsciously give in to the anchoring effect, whereby, for example, reading about a specific risk probability in a magazine case study embeds that number into the assessment of risk in our own security environment, despite the situation having no correlation with the case study.
Or we may succumb to the availability heuristic, in which while determining the likelihood of an event, we give undue weight to immediate examples that come to mind. For example, a security practitioner for a retailer may instantly recall the heavy media coverage of shoplifters cleaning out stores with impunity and tailor the retailer’s security approach accordingly, even if a risk assessment would have dictated otherwise.
The list of cognitive biases is long: confirmation bias, framing effect, hindsight, outcome bias, attribution bias, groupthink, recency bias and the default effect, to name a few. They each furtively impede our thinking.
I asked industry experts how to avoid these traps — to see the gorillas while counting basketball passes. Adriaan Bosch, a senior security consultant at Buro Happold in London, England, notes that part of the problem is our obsession with metrics. “The nature of our profession is to create structures that can be measured and quantified, and thus there are so many standards and guidelines,” Bosch says. “The problem is that the threat is often dynamic, and adversaries are able to develop strategies to counter the well-intended structures and standards.” Getting past that mindset is difficult, he continues. “I have often hit a wall where I would suggest a new mitigation method and the response would be: ‘Where has this been tested,’ or ‘To what standard is this aligned?’”
Susana Marquez Pedrouso, a Spain-based security and loss prevention professional, points out that the most recent prominent example of focusing on the wrong things is the Covid pandemic. Relatively few companies had detailed business continuity plans for a virus; fewer still were prepared for years-long disruption.
“That’s why I believe the obsession to structure risk and crisis management to the limit is creating a very slow capacity to react in many organizations,” she says. “There has to be room to be creative, to innovate, to understand threats and consequences which might never have nailed down.”
Pedrouso echoes Bosch’s comments about the predominance of metrics. “I’m finding more and more security departments drowning in KPIs and protocols, reducing the capacity to perceive new issues and anticipate from a fresh perspective,” she says.
The upshot is that we must continually keep an open mind when thinking about threats, risks and vulnerabilities. Risk is truly dynamic, and assessments should be frequent, taking into account such factors as political, economic and social developments, trends in specific industries, new technology, cultural shifts in the workforce, and so on.
Doing so continuously is a monumental task, perhaps impossible. But doing so regularly and often is realistic.
It’s when we work with blinders on that the gorilla of unforeseen threats strolls into our midst. And, we all know what an 800-pound gorilla does when it shows up: anything it wants.