The effect of omission bias on vulnerability management

Whether we’d like to admit it to ourselves or not, all humans harbor subconscious biases that powerfully influence our behavior. One of these is the omission bias, which has interesting ramifications in the world of cyber security, specifically vulnerability management.

In this article, we discuss omission bias in vulnerability management, particularly vulnerability remediation, and how IT operators can overcome it with today’s new management platforms.

Vulnerability management

Omission bias is the human tendency to assume that less harm will be done by inaction (omission) than by taking action (commission) in a given circumstance.

Cybersecurity offers us a classic example of omission bias, specifically in vulnerability management. The reason why most organizations don’t patch their vulnerabilities quickly and aggressively is that operators fear those software upgrades will “break” something and disrupt their network’s operational availability. Thus, not patching (“omission”) is perceived as the less harmful option when compared to applying patches (“commission”).

Strong evidence exists, however, that patching is largely safe, as less than 2% of patches are rolled back. Conversely, exposed vulnerabilities account for 37% of successful cyber-attacks on organizations, especially those launched by sophisticated threat actors, like nation-states. But human nature tells us that it feels less harmful to forego aggressive patching than it is to forge ahead and take action.

Immediacy plays a large part in this reality as well. A cyber-attack resulting from a specific exposed vulnerability is possible but not guaranteed, and certainly not an immediate concern, but an applied patch that causes a serious disruption is a personal memory many IT professionals can recall vividly, and when it happens, the consequences couldn’t be more immediate.

Overcoming omission bias

A statement often erroneously attributed to the philosopher Edmund Burke famously says that “all that’s required for evil to triumph is for good men to do nothing.” Referring to the tendency of nations and citizens to avoid confrontation with authoritarian regimes until it’s too late, this well-known, mis-attributed quote encapsulates omission bias and its ramifications succinctly. Only experience and historical context can influence nations to take seriously authoritarian threats, and that same context and data are the only things that can check that human tendency to avoid action in any other walk of life.

There are two primary ways to overcome omission bias, experience, and data.

Experience

When humans experience – either personally or via anecdote – the negative impact of not acting, the wall of omission bias can be penetrated. For example, someone who has chosen not to receive the shingles vaccine out of fear of side effects may be persuaded to do so after witnessing a friend suffer through the illness.

Data

Data can be a powerful antidote to ingrained omission bias, especially for the more analytical among us. Returning to the shingles vaccine example, someone apprehensive about the vaccine may reconsider after seeing data on limited side effects juxtaposed with the relatively high probability of contracting the disease.

Combining both

Of course, even more compelling than either an individual anecdote or convincing data is a combination of the two. When data is reinforced with personal experience, it has an exceptionally powerful ability to combat biases of all types, and omission bias is no exception.

Overcoming omission bias in vulnerability remediation

In the case of vulnerability remediation, overcoming that bias about individual patches requires information about the safety of those patches on other networks – information that’s difficult or even impossible to come by via traditional communication channels like Reddit or Discord communities. Moreover, such patch-disruption research would require even more effort on the part of already overworked IT professionals tasked with applying patches.

The good news is that modern vulnerability management and remediation solutions have built-in crowdsourcing mechanisms that capture the disruption history of patches and share that information with users of the platform, all while protecting the anonymity of those applying the patches.

The designers of these new vulnerability management platforms are guided by an aspiration to overcome patching omission bias by providing the data necessary – in an easily accessible and consolidated form – to convince long-suffering IT practitioners that patching is not only foundational to an effective cyber security program, but much less disruptive than it’s often perceived to be.

Omission bias poses a significant challenge in cybersecurity, where the tendency to neglect certain vulnerabilities can lead to severe consequences. Recognizing the importance of addressing this bias, vulnerability remediation emerges as a powerful tool in the cybersecurity arsenal.

As we navigate the evolving landscape of cyber threats, embracing proactive vulnerability remediation becomes imperative for organizations seeking to fortify their defenses and build a resilient cybersecurity posture.