06 – 22 June 2025 It’s Friday again, which for some people means throwing a party to let the stress out after a long week at work. Not for engineers responsible for securing SUSE Linux systems, though. SUSE is a distribution loved by many desktop …
This is the seventh episode of a story related to individuals who, in a matter of moments, transition from “employees” to “rescuers” in the immediate aftermath of a destructive cyberattack.
Cognitive Cybersecurity & prevention: The human factor at the heart of cyberattacks
“ We were carefree, thinking that it only happens to other people.”
“For me, these were things you only saw in the movies. I never thought I’d experience one in my life.”
In this episode, I would like to highlight a contradiction that strikes me every day. Despite massive investment in cybersecurity technologies (anti-phishing filters, advanced firewalls, intelligent detection solutions, IA algorithms ,..), human error remains the biggest weakness in our defense. Numbers vary between studies, but we can consider that between 75% and 95% of cyber incidents originate from human failure. The allocation of resources to this human factor is disproportionately low compared to the rest of the investment. Why is our reasoning flawed?
Cognitive biases in Cyber Security. What are our blind spots?
Today, in this highly connected world, cyber threats are evolving at an unprecedented rate. However, despite the latest technological advances and state-of-the-art security measures, a persistent and often overlooked vulnerability persists: the human mind. Cybersecurity isn’t just a technical challenge — it’s a cognitive one. The behavior of humans, influenced by unconscious biases, often creates opportunities for risks that no firewall can prevent. Organizations that want to strengthen their cyber resilience must understand these biases.
Let’s delve into four cognitive biases that can compromise cybersecurity: excessive optimism, apathy, the tendency to overestimate the availability of resources, and the tendency to overestimate one’s own abilities to handle a crisis.
BIAS #1: Unrealistic Optimism: “It Won’t Happen to Me”
Exaggerated confidence, also known as unrealistic optimism, is the tendency to believe that negative events are more likely to happen to others than to oneself. In the field of cybersecurity, this mindset can lead individuals, teams, and even entire organizations to underestimate their susceptibility to attacks.
The impacts will include underinvestment in security measures, lack of training and ignoring warning signs until it’s too late.
BIAS #2: Complacency: “We’ve Always Been Fine”
Complacency happens when past success or the lack of incidents leads to a false sense of security. People stop anticipating issues and cease taking precautions when everything seems to be going smoothly. However, “Past success does not guarantee future results” is a well-known statement.
The impacts will include a gradual decrease in security hygiene, an increase in blind spots, and an overestimation of the quality of IT operations.
BIAS #3: Availability Bias: “I’ll Worry About What I’ve Heard Of”
Availability bias is when you pay more attention to the most recent event or information. This leads us to exaggerate the probability of similar occurrences, like wearing blinders.
This will result in misallocated resources, ineffective risk management, and overlooked vulnerabilities.
BIAS #4: Overestimating expertise and crisis Management Abilities: “We’ll Handle It When It Happens”
Many IT teams believe they can effectively respond to a cyber crisis, despite lacking real preparation. This overconfidence in crisis response capabilities can be dangerous.
Impact: Delayed response, poor coordination, reputation damage, regulatory penalties, and higher recovery costs.
What are some potential solutions?
• Encourage threat awareness by sharing examples of breaches experienced by similar organizations.
• Conduct tabletop exercises that simulate “what if it were us” scenarios to challenge optimistic assumptions.
• Build a culture of continuous improvement. Implement regular reviews of security controls and embed a mindset that “no news” doesn’t mean “no risk.”
• Conduct regular incident response exercises that involve both technical and non-technical teams. Test decision-making under pressure. Identify and fix gaps in processes, procedure, communication, escalation, and external coordination.
Cybersecurity awareness is not just about instructing people on what to do. It is about helping them think differently and challenging their cognitive biases. This is a crucial step in enhancing the human defense layer.
By openly discussing biases such as unrealistic optimism, complacency, availability bias, and overconfidence, organizations can develop smarter, more resilient teams. These teams will be better at seeing risks and acting proactively.
🔐 Remember: The biggest vulnerability in cybersecurity isn’t a zero-day exploit — it’s the assumption that “this doesn’t apply to me” or “we’ll be ready when it happens.”
The biggest vulnerability in cybersecurity isn’t a zero-day exploit — it’s the assumption that “this doesn’t apply to me” or “we’ll be ready when it happens.”
Didier Annet is an Operational & Data Resilience Specialist and a Certified Professional Coach dedicated to empowering individuals and teams to navigate the complexities of an ever-changing digital landscape.
Find him on LinkedIn: Didier Annet
Learn more in his book:
📖 Guide de survie aux cyberattaques en entreprise et à leurs conséquences psychologiques: Que fait-on des Héros ? (French Edition) – Available on Amazon
English version:
“Survival Guide – The Human Impact of Cyberattacks and the Untold Story of Those Who Respond”
“What Happens to Heroes?”
Available on Amazon
09 – 15 June 2025 After our last CVE of the Week post exploring a critical vulnerability in the open source landscape, we are back again in the Microsoft ecosystem, as it’s just past Patch Tuesday, which keeps on giving (and more importantly, fixing) weaknesses …
02 – 08 June 2025 Open-source enthusiast sysadmins might be familiar with Roundcube, one of the most popular webmail clients deployed, to be exact, Shodan currently lists over 160,000 publicly available instances. Unfortunately, it has now become the subject of our regular CVE of the …
The Cybersecurity Advisors Network (CyAN) opposes recommendations made by the European Commission’s High-Level Group on Access to Data for Effective Law Enforcement (HLG) that we view as incompatible with European rights and values.
The HLG, often referred to as “Going Dark” / #EUGoingDark was established in 2023 in order to develop ways for law enforcement to more effectively identify, track, and investigate international crime. Its current recommendations can be found here (PDF).
The High-Level Group has some laudable goals, including reducing crime, enhancing cooperation between law enforcement agencies, and improving efficiencies. The Cybersecurity Advisors Network opposes several components of the HLG recommendations, and encourages our members, partners, and stakeholders to do the same.
European Digital Rights (EDRi) published an article about HLG and many of the issues with its composition, its objectives, and the many issues associated with HLG’s activities in June 2024. Former Member of the European Parliament (MEP) for the German Pirate Party Patrick Breyer wrote a series of extensive posts on the problematic nature of the HLG; a good introduction can be found here.
In short, objections to the HLG, as well as to its goals and its decision-making process, include the group’s undemocratic lack of transparency and accountability, the excessive influence that law enforcement and national security entities have on EU policymaking through the group, its regular re-hashing of repeatedly defeated and debunked schemes to undermine the security of information through legally mandated weakening of encryption and other mechanisms which currently ensure citizens’ rights and safety online, and its willingness to consider measures that will damage fundamental European constitutional rights in the pursuit of illusory civic and national security.
The HLG is also involved in crafting the European Commission’s related ProtectEU Internal Security Strategy (full text here) which includes a push for mandatory encryption backdoors (“to identify and assess technological solutions that would enable law enforcement authorities to access encrypted data in a lawful manner”). Politico has a good summary of some of the logic driving these problematic items in the EU’s proposed strategy. CyAN has signed the Global Encryption Coalition’s joint letter pushing back against ProtectEU, affirming our commitment to strong encryption and democratic safeguards.
The HLG’s recommendations bear the strong potential for a mass surveillance structure. While CyAN strongly supports the fight against online ills such as child sexual abuse materials (CSAM), cybercrime, fraud, terrorist / violent extremist content (TVEC), and image-based sexual abuse (IBSA), we insist that undercutting the freedoms of citizens runs counter to the liberal democratic values that are a cornerstone of European society. There are more effective and less damaging ways to achieve these aims.
Notably, the HLG explicitly advocates for the introduction of compulsory encryption backdoors, something CyAN has consistently opposed and actively campaigned against across multiple jurisdictions. Backdoors irreparably undermine encryption, and are detrimental to privacy, individual rights, economic prosperity, and democratic stability. CyAN has published numerous articles and position papers opposing such proposed laws in jurisdictions including Australia, Sweden, the US, and Japan, Ukraine, France and Sweden, the United Kingdom, and the European Union. Our members strongly advocate for the urgent need for viable end-to-end encryption [1] [2], free of backdoors [1] [2], especially in the face of quantum encryption, not least as a vital tool for protecting vulnerable populations,
Significantly, while the Copenhagen Criteria for membership in the European Union include democracy and transparency, the rule of law, human rights, and respect for minorities, the EU’s 27 member states have occasionally diverged from both these core values, and from each other’s interpretation thereof. While the EU is currently a stable system with strong safeguards for citizens’ rights, neither liberty nor democracy can be taken for granted. The past two decades have provided several examples of how quickly formerly free societies can revert towards authoritarianism. Technological and legal protections for anonymity, data security and integrity, and freedom of expression should be strengthened, not undermined.
CyAN objects to the following components of the HLG’s proposed framework in its current form (May 2025):
The recommendations repeatedly mention a desire to prevent abuse, ensure citizens’ rights, and ensure that expanded surveillance and investigative powers are only used in a lawful, responsible manner – without specifics of what mechanisms would ensure such respect for Europeans’ basic human rights. It amounts to “trust us, we have your best interests in mind”.
The Commission’s feedback period on the HLG’s recommendations is open until 18 June 2025, midnight Brussels time. In addition to supporting the GEC’s arguments against ProtectEU by signing the joint letter, CyAN will provide our own comments to the Commission on Access to Data for Effective Law Enforcement. We strongly encourage our members to do the same, and to contact their MEP in order to oppose surveillance overreach.
European Commission feedback form:
Global Encryption Coalition Joint Letter on ProtectEU:
A list of Members of the European Parliament by constituency:
https://www.europarl.europa.eu/meps/en/home
A sample text to send to your MEP:
Dear <…>
I am writing to you as an information security professional, in order to voice my opposition to the European Commission High Level Group on Access to Data for Effective Law Enforcement (HLG) current recommendations.
As a European citizen, I firmly believe that several of the HLG’s proposals are highly damaging to European fundamental liberties, to the security and integrity of online commerce, and to the trustworthiness of online discourse and democratic mechanisms.
These include, but are not limited to:
I support the HLG’s objectives of fighting cybercrime, terrorism, and abuse online, but the means advocated by the group are not the right way to strengthen our society.
I urge you to help ensure that the European Parliament, European Commission, and all other elements of the European Union’s legislative, executive, and judicial mechanisms continue to respect the rights of Europeans to privacy, trust, safety, anonymity, freedom of expression, and security online, and to not allow the undermining of the technological mechanisms that ensure these in the interests of a surveillance state which will damage our freedom and prosperity.
With best regards,
&c.
