Episode 163: Cyber Risk has a Dunning-Kruger Problem also: Bad Password Habits start at Home

In this episode of Security Ledger Podcast (#163) sponsored by LastPass: Kevin Richards of the insurer Marsh joins us to talk about that company’s Cyber Risk Perceptions Survey. Also Yaser Masoudnia of LastPass* joins us to talk about the blurry line between personal and professional is complicating enterprise security.

We all know about the Dunning-Kruger Effect: that sneaky cognitive bias that convinces people of low ability that they’re actually the bomb, simply because their ignorance prevents them from apprehending how much they don’t know. No doubt you’ve worked with someone imprisoned by Dunning-Kruger. And, indeed, in a culture that rewards swagger and big talk, its easy to see this particular bias at work all around us.

A Dunning-Kruger Effect with IT Risk?

Dunning-Kruger is interesting. We tend to focus on one aspect of it, namely: that low ability people consistently overestimate their aptitude. But the research by Dunning and Kruger revealed a consistent pattern: as individuals become more competent, their confidence in their own abilities falls, creating a kind of competency trough. Confidence recovers as actual mastery of the topic at hand increases, creating a distinctive “U” shaped graph. As they achieve true mastery, individuals confidence in their ability recovers, though typically not to the same high level they exhibited when they had absolutely no idea what they were talking about.

Kevin Richards is the Global Lead for Cyber Risk Consulting at Marsh
Kevin Richards is the Global Lead for Cyber Risk Consulting at Marsh

But can Dunning-Kruger cloud organizational thinking in the same way that it clouds individuals’ perceptions? On this topic, a recent survey by the insurer Marsh and Microsoft caught our eye. The 2nd annual Cyber Risk Perception Survey asked 1,500 executives and IT professionals at companies of all sizes across the globe about the state of cyber risk perceptions and risk management.

One interesting finding of the survey: industry analysts, corporate leaders and IT pros said their organization were never more concerned about cyber risk and were spending more than ever before to address that risk. Despite that, their confidence in their cyber risk preparedness fell by 6%: with just 23% “highly confident” in their readiness to defend against cyber attacks. That means corporate leaders were less optimistic than in years past – when they were admittedly less concerned about- and spending less money on cyber defense.

“We’ve never spent more. Its my top concern. And the confidence in our ability to defend actually went down.”

Kevin Richards, Global Lead for Cyber Risk Consulting at Marsh

Why? To understand what may be bubbling in the minds of corporate executives and risk professionals, we sat down with Kevin Richards, the global lead for cyber risk consulting at Marsh, which is the world’s largest insurance and cyber risk insurance brokerage. 

Kevin noted that a steady stream of news about mega breeches weighs on the minds of corporate executives. Beyond that, cyber security might simply be harder than companies and their leaders anticipated. Increased attention to- and spending on cyber risk efforts helps address that risk. But it also reveals how much was missed and is yet to be done.

I asked Kevin whether a kind of Dunning-Kruger Effect may be at work here, as organizations’ lack of knowledge and expertise leads them to underestimate their cyber risk while overestimating their information security capabilities. As their understanding of the truth about their cyber risk grows, their confidence in their cyber capabilities takes a beating. 

Its a small part of a fascinating conversation. Check it out!

Bad Password Hygiene hits Home and Work

In our second segment: the notion that your work life and your home life are separate is pretty well dead at this point. Overall, the consumerization of information technology in the last 20 years has been a good thing. Employees bringing their consumer devices (like, oh… the smart phone) to the office has allowed them to use that technology to solve all manner of workplace problems. In all, consumerization of IT has made workers much more productive, even as it has scrambled the work of corporate IT groups. 

When it comes to account security, however, consumerization is a big problem. As it turns out: workers don’t just bring their smart phones and consumer apps to work. They also bring the same lax, shoddy password practices used at home to the workplace. In fact, a study by LastPass found that 70% of workers said there was no difference in the method they use to create personal and work passwords. Not good.

Yaser Masoudnia, LastPass
Yaser Masoudnia is the Senior Director of Product Management at LastPass, part of LogMeIn

To understand how companies are trying to take control back and shore up both passwords and corporate identities, we invited Yaser Masoudnia from LastPass and LogMeIn into the Security Ledger studio. (Read Yaser’s recent explainer on how two-factor and multi-factor authentication differ.) In this interview, he and I talk about how the blurry line between personal and work accounts hampers cyber security efforts within companies, and how a more integrated approach to passwords, authentication and identity can solve a myriad of corporate security challenges. 

(*) Disclosure: This podcast was sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.