We see what we want to see: Pitfalls of Perception and Decision-making in Security Management

Abstract

We human beings are often convinced of having a clear picture of reality and believe ourselves to be thoroughly rational in our thinking and decision-making. However, our perception of reality is limited and prone to errors, and our decision-making is often guided by emotions and instincts instead of facts and rational thinking. If we don’t stop to think we often jump to conclusions based on partial or erroneous information, and eloquently justify our decisions with apparently rational arguments. In many areas of human activities, including security management, limits of perception and errors in decision-making can have harmful, even disastrous consequences. Very often in security management the decision-making process is not sufficiently challenged by critical thinking as decisions are often made hidden behind the veil of secrets. Cognitive biases - systematic errors in thinking affecting decisions and judgments - have been identified and analysed in various contexts, and the results have been applied to improve decision-making processes. However, in the heavily regulated and compliance-dominated world of security management sufficient attention hasn’t been paid to cognitive biases and their impacts. As result of insufficient attention an important risk factor is regularly underestimated. This paper includes an introduction to the concept of cognitive biases and the research on the phenomenon. The biases which in the author’s experience have a particularly harmful impact on security management are described in detail. This introduction is followed by description of scenarios and real-life examples where erroneous perception and decision-making of security actors leads to disasters. De-biasing is the strategy which aims at eliminating or at least limiting of the impact of cognitive biases. This strategy has been successfully implemented in various types of environments. This paper presents ideas how de-biasing strategies could be implemented in security management in order to improve the quality of decision-making.