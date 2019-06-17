When any cybersecurity event takes over, you’ve got a dynamic and evolving problem and need to act fast. Time is money, and you can’t afford to go down the wrong path in your incident response because the added delays when you have to backtrack and start over could be extremely costly. This is the kind of scenario we simulate globally across all of our IBM X-Force Command Cyber Range experiences, where our trained staff puts customers through intense, gamified challenges to practice what you need to do in a real attack.

I know from running thousands of challenges in our cyber range that the biggest obstacles to a well-executed cybersecurity incident that has been escalated to a crisis response are not technical, but emotional, physical, psychological and cognitive challenges. The strongest challenge is confirmation bias, when you tend to focus on evidence that supports a hypothesis and ignore the evidence that doesn’t. We’re human, after all, and we like to take shortcuts that sometimes lead to mistakes.

Confirmation bias is especially problematic when you have limited information and time. During the boom event in a crisis, when you’re feeling the pressure to act fast, it’s understandable that response team would look for the information that supports its original hypothesis. What makes the situation worse is the physical reaction, the fight-or-flight instinct that kicks in during stressful situations, which is a major impediment to making good decisions. When customers have a flush of cortisol in the back of their brain, this stress hormone impairs cognitive functioning for up to 20 minutes. Incident responders can’t wait that long to make good decisions.

In the cyber range, and in our IBM X-Force Incident Response and Intelligence Services (IRIS) team, we practice a method called dual verification to help overcome confirmation bias and get to ground truth faster. Dual verification means one team tries to prove a single hypothesis and another team tries to disprove the same hypothesis. By establishing distinct people or teams to rapidly investigate multiple theories about a problem, we avoid herding as a group down the wrong track. It works, as we saw recently when we suddenly started detecting a destructive variant of ransomware among some of our customers.