CyberSecurity's Future- A Need for System 2 Thinking

Rajat Mohanty
Tuesday, October 20, 2015
Rajat Mohanty
In his book 'Thinking, Fast and Slow' Nobel Prize winning psychologist, Danny Kahneman, divides our thinking into two sub-systems: System 1 and System 2. In the first system - System 1 - thinking is fast, intuitive, and automatic, a process we use in most of our daily activities such as driving, talking and reading. It is also used to respond quickly to any stimuli like dropping a hot cup or avoiding a collision. In essence, System 1 is a relatively primitive part of thinking that evolved as part of our survival instinct.

In contrast, System 2 thinking is a slow, calculating and conscious thought process that involves deliberate thinking, such as solving a complex math problem. As this system involves effort and consumes time, the mind often relies on System 1 to navigate the world. In effect, the mind is usually lazy and triggers System 2 only when the solution CEO InsightS provided by System 1 becomes unfeasible. However, it is important to keep in mind that while System 1 thinking is more basic, it is efficient for most situations and should be augmented with System 2 thinking whenever the need arises.

But how does that apply to the cyber security domain? We all know that security breaches are commonplace today, and their severity only seems to be rising. At the same time, there has been an explosion of security products in the market, and over the last two years many new ones are seen in the pipeline because of the venture funding support in the sector. So, is there a correlation between products and breaches? It seems that more breaches drive more products. While what we would want to see is these increased products leading to fewer breaches. While products solve a particular problem or use case and have their rightful places in enterprise IT systems, deploying products is a strategy akin to System 1 thinking. Granted products provide fast and automatic security, be it in prevention, detection, or response, but they only provide passive security and are not able to slow down a deliberate or certain occurrence, cannot investigate the reasons for a security event, do not know the extent of damage to a system and are unable to plan out a broader response.

That type of response requires System 2 thinking-a slow deliberate process of understanding the security issues and responding in a holistic manner, which involves deploying skilled security professionals in addition to products. Deeper deliberate security has been in use for certain aspects of security such as architecture and strategy design, policy and processes design as well as forensics. It is in the actual day-to-day security operations where System 2 is currently lacking, because organizations are primarily dependent on their preventive and detective products, such as firewalls, IPS, SIEM, access controls, and others.

For example, let's take the continuous security monitoring process in an organization. There are multiple security products that alert suspicious activity-an IPS will signal a threat to network activity, anti-malware will raise an alert on viruses/ worms, a WAF will detect web application issues while access logs to applications will show lateral movement, and so on. Today, most organizations aggregate them all through SIEM and receive alerts to a single console. As a System 1 process, this is a fast, automated and easy way to manage security monitoring. But it is also susceptible to failure as identifying an incident requires a well-designed mechanism to collect all relevant security events and logs from every part of IT. Once identified, each alert can then be investigated against its context and past, and the response can be coordinated to prevent the attack or its spread. This is a System 2 approach and requires skilled resources working in tandem with the deployed security technology on a continuous basis. However, System 2 thinking also has its drawbacks. As it is more resource intensive, continuously using System 2 thinking results in mental fatigue and poor results. In cyber security operations, this can happen even with a large pool of skilled resources.

Share on Twitter
Share on LinkedIn
Share on facebook