The Security Ledger Podcast

The Security Ledger Podcast


Episode 163: Cyber Risk has a Dunning-Kruger Problem also: Bad Password Habits start at Home

October 03, 2019

In this episode of Security Ledger Podcast (#163) sponsored by LastPass: Kevin Richards of the insurer Marsh joins us to talk about that company’s Cyber Risk Perceptions Survey. Also Yaser Masoudnia of LastPass* joins us to talk about the blurry line between personal and professional is complicating enterprise security.

We all know about the Dunning-Kruger Effect: that sneaky cognitive bias that convinces people of low ability that they’re actually the bomb, simply because their ignorance prevents them from apprehending how much they don’t know. No doubt you’ve worked with someone imprisoned by Dunning-Kruger. And, indeed, in a culture that rewards swagger and big talk, its easy to see this particular bias at work all around us.

A Dunning-Kruger Effect with IT Risk?

Dunning-Kruger is interesting. We tend to focus on one aspect of it, namely: that low ability people consistently overestimate their aptitude. But the research by Dunning and Kruger revealed a consistent pattern: as individuals become more competent, their confidence in their own abilities falls, creating a kind of competency trough. Confidence recovers as actual mastery of the topic at hand increases, creating a distinctive “U” shaped graph. As they achieve true mastery, individuals confidence in their ability recovers, though typically not to the same high level they exhibited when they had absolutely no idea what they were talking about.

Kevin Richards is the Global Lead for Cyber Risk Consulting at Marsh

But can Dunning-Kruger cloud organizational thinking in the same way that it clouds individuals’ perceptions? On this topic, a recent survey by the insurer Marsh and Microsoft caught our eye. The 2nd annual Cyber Risk Perception Survey asked 1,500 executives and IT professionals at companies of all sizes across the globe about the state of cyber risk perceptions and risk management.

One interesting finding of the survey: industry analysts, corporate leaders and IT pros said their organization were never more concerned about cyber risk and were spending more than ever before to address that risk. Despite that, their confidence in their cyber risk preparedness fell by 6%: with just 23% “highly confident” in their readiness to defend against cyber attacks. That means corporate leaders were less optimistic than in years past – when they were admittedly less concerned about- and spending less money on cyber defense.

“We’ve never spent more. Its my top concern. And the confidence in our ability to defend actually went down.” Kevin Richards, Global Lead for Cyber Risk Consulting at Marsh

Why? To understand what may be bubbling in the minds of corporate executives and risk professionals, we sat down with Kevin Richards, the global lead for cyber risk consulting at Marsh, which is the world’s largest insurance and cyber risk insurance brokerage. 

Kevin noted that a steady stream of news about mega breeches weighs on the minds of corporate executives. Beyond that, cyber security might simply be harder than companies and their leaders anticipated. Increased attention to- and spending on cyber risk efforts helps address th...