Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

The Dunning-Kruger Effect and Why It Convolutes Cybersecurity

Next time you think something is easy and you’re crazy good at it, beware of the Dunning-Kruger (D-K) Effect. Psychology Today describes this as when you mistakenly believe your competence in an area to be high and, therefore, don’t realize you have much to learn. This overconfidence then prevents you from seeking the very knowledge that would help you understand and perform better.

People tend to fall somewhere along a predictable D-K curve, with those who believe themselves to be very capable yet are low in competence at one end. At the other end, those who are competent tend to identify their own knowledge gaps, so they don’t believe themselves to be highly capable or knowledgeable. This drives them to seek more information and trust experts. Unfortunately, those suffering from the D-K Effect also lack the background knowledge needed to distinguish an expert from a regular Joe.

Thinking on the prevalence of our nation’s ongoing struggle to distinguish truth from fiction, it occurred to me that this is the perfect description of what we see every day in the cybersecurity industry. Picture this. An organization knows very little about cybersecurity, so they implement what they feel confident in, such as a “silver bullet” technology or a vendor they expect to solve all their problems. Then when someone on their team tries to engage them in a conversation about gaps or vulnerabilities, they become incredulous. It happens more often than you think.

What the D-K Effect looks like in the cybersecurity world

Managers with the D-K Effect don’t know what they don’t know, and their surprise or indignation often gives them away. You might see their shock when partners require security and compliance validations and certifications before working with them. Or, you may witness their frustration stemming from ill-informed, unrealistic budget and hiring allocations for cybersecurity. It may also be difficult to engage them in realistic planning conversations.

Thinking small and making big assumptions

One common D-K scenario is in growing tech startups serving regulated spaces. Perhaps they’re riding high from securing Series A Funding through a disruptive business model. They’re smart, capable and tech savvy, right? But despite rapid growth, they’ve only just begun working with expert buyers in the enterprise market. Typically, they are so focused on bootstrapping their technology that they haven’t had time or budget to invest in business operations systems that are secure by design and can scale with their growth.

The D-K Effect also rears its head in rapid-growth organizations rolling up small- and medium-sized businesses (SMBs) through mergers and acquisitions. SMBs are notorious for assuming they are too small or irrelevant to be of interest to hackers. Cue the D-K Effect. This mentality is absorbed into the greater organization — along with old IT systems and, often, a resistance to change.

Case in point? An enterprise organization in a regulated space approached us for help with a very serious, multi-million dollar security incident. Despite their growth, they had no access-management policies, no network segmentation, no security monitoring and no cybersecurity staff or training. The “no'' theme continued with the IT director refusing a risk assessment after the incident was forensically investigated. Since the breach had yet to trigger a lawsuit or media coverage, executive leadership decided to simply move forward. Within months, one of their new acquisitions experienced a breach compromising thousands of client profiles containing sensitive information.

Challenging our own thinking

The lesson here is clear for those open to progressing along the D-K curve. You need a strategy. But as long as you don’t know what you don’t know, security will look like an overwhelming set of tasks in no clear order for the greatest impact. Without a mature implementation plan, people tend to begin with the processes they are most familiar with.

If you ask me what you need to be doing to protect yourself, I’m going to look at your current IT strategy and give you a comprehensive roadmap. Furthermore, I’ll show you the reason for the order of your particular action items. Your cybersecurity strategy should take into account 1) business enablement, 2) controls (which may come from a combination of compliance standards and/or the NIST Cybersecurity Framework), 3) operational management, 4) talent management, and 5) risk management. If you leave out any part of the puzzle, or if you favor one area too much, you don’t have a solid game plan. That’s when you start to realize that managing a cybersecurity program necessitates expertise, knowledge sharing and centralizing your documentation for shared visibility.

The key to breaking through the D-K Effect in cybersecurity is what researchers call metacognition, or thinking about thinking. Ask yourself questions. Pay attention to assumptions. Seek out knowledge. Confidence may drop, but competence will rise. You’ll be better equipped to distinguish true expertise, and well on your way to creating a culture of security for your organization.

If you would like to talk with someone to guide you along your journey to greater cybersecurity, please request a consultation with one of our experienced experts. We are always happy to share what we know and help.

Ask A Question