Wishful thinking won’t protect your data and systems. Without understanding two key psychological constructs, motivated reasoning and decision fatigue, people will continue to put their trust in software alone to keep their systems safe – and then shift responsibility for adverse events onto end users. For example, those impacted by motivated reasoning will reuse passwords without believing it might actually have an impact. People who experience decision fatigue avoid decisions or choose the least effortful action. However, there are steps organisations and individuals can take to recognise and cope with these parts of human nature – are you prepared?

1. Dr. Margaret Cunningham, Principal Research Scientist
Forcepoint, X-Labs
Weary Warriors:
Reducing the Impact of Wishful
Thinking & Fatigue on Information
Security Decisions
4 June, 2019

2. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
Select the option that fits you best:
- I use the exact same password on multiple sites. ¯_(ツ)_/¯
- I change my passwords a little bit—Password1! is different from
Passw0rd, right?
- I never reuse passwords.
- I use a password manager.
Slido Q1

3. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
40-50% of users reuse
passwords

4. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
46% of organizations don’t
change their security strategy
after an attack!

5. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
Definitions & Outcomes
• Motivated Reasoning
• Decision Fatigue
Strategies & Solutions
Overview

6. Weary Warriors: Reducing the Impact of Wishful
Thinking & Fatigue on Information Security Decisions
• “Wishful Thinking” and self-
deception
• Avoidance of cognitive
dissonance
• Evaluating problems in favor
of preferred outcomes
Motivated Reasoning is…

7. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
• Inadequate solutions based
on biased information
• Aversion to change
• Rationalization, and denial,
of poor choices
Impact of Motivated Reasoning

8. Weary Warriors: Reducing the Impact of Wishful
Thinking & Fatigue on Information Security Decisions
• Decision-making draws on
finite mental resources
• Our capabilities degrade over
the course of each day
• Helped by food, cured by rest
Decision Fatigue is…

9. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
• Decision avoidance, relying
on defaults or “status quo”
• Difficulty weighing pros &
cons of multiple options
• Short-term > long-term
• Selecting the least effortful
choice
Impact of Decision Fatigue

10. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
• When faced with “facts that don’t fit” we ignore them
• When fatigued, we pick the easy way out – if we make
a choice at all
Motivated Reasoning + Decision Fatigue = Bad Decisions

11. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
Strategies & Solutions
1. Recognize the Signs
2. Be Choosy about
Choosing
3. Plan & Prioritize

12. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
• Impaired self-control & impulsivity
• Procrastination
• Decision avoidance
• Irritability
• Ignoring contradicting opinions or
facts?
Recognize the Signs

13. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
• Cut options
• Concrete examples
• Categorize
• Condition for Complexity
Be Choosy about Choosing1
1 Sheena Iyengar, “The Art of Choosing”

14. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
• Plan daily decisions in
advance
• Prioritize important decisions
for the morning
• Sleep on it – when possible
• Use tools & establish
decision-making processes to
support unplanned or late-
day choices
Plan & Prioritize

15. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
5 KEY TAKE AWAYS

16. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
• Motivated reasoning leads to biased decision making & denial of
alternative solutions that differ from existing practices
• Decision fatigue leads to decision avoidance, or selection of easier,
short-term solutions
• Recognize the signs: procrastination, distraction, impulsivity,
irritability, risk-aversion
• Use choice strategies: cut, categorize, concrete examples, &
conditioning for complexity
• And, when possible, plan and prioritize to optimize decision-making
5 KEY TAKE AWAYS

17. Weary Warriors: Reducing the Impact of Wishful Thinking & Fatigue on
Information Security Decisions
Follow-up questions or comments?
Margaret.Cunningham@Forcepoint.com
Or, visit my Forcepoint Author Page:
www.forcepoint.com/company/biographies/margaret-cunningham
Recent White Papers:
Exploring the Grey Space of Cybersecurity with
Insights from Cognitive Science
Thinking about Thinking: Exploring Bias in
Cybersecurity with Insights from Cognitive Science