Cybersecurity Threat: The Dunning Kruger Effect

The most overlooked cybersecurity threat is our own psychology. With network security policies, spam filters, and firewalls as your first line of defense, all that is left is our own irrational humanity. One psychological phenomenon, The Dunning Kruger Effect, is at the heart of most all cybersecurity risk.

How the Dunning Kruger Effect is a Top Cybersecurity Threat

Published 20 years ago in December 1999, what is now known as The Dunning Kruger Effect finally explained why some of us think we are much better at certain things than we really are. The studies in the original report sought to prove a universal principle: the worst think they are some of the best. Particularly this study proved that the most unskilled think they are above average, people with the worst humor thought they had a great sense of humor, and people who were the least intelligent thought they were indeed intelligent.

Since its publication, it has been proven over and over again that the worst think they are the best. The scary thing is, this goes for just about everything, including cybersecurity awareness and resilience.

Let's review three areas where The Dunning Kruger Effect can harm your business and put your computer network security at risk. As I go through each of these areas, I'll further explain the how the Dunning Kruger Effect ties into cybersecurity risk.

1) Your Staff

Your employees are certainly not the first line of defense against cybersecurity attacks. Your network security policies, spam filters, and firewalls are the first line of defense. But as far as cybersecurity is concerned it is not just your technology and the way it is managed.

Besides machines, people make your products, operate your assets, and serve your customers. It's these people that are more prone to cybersecurity threats. In your own workforce, if you were to survey every employee and ask them from a scale from one to ten (one being clueless, ten being extremely knowledgeable, and five being average), how skilled they are at spotting a scam in an email or on the Internet compared to their coworkers, the Dunning Kruger Effect will bet that your workforce's average score will be around 60 to 70 percent confidence. But that is obviously impossible, the majority cannot be above average. By definition, "above average" is just shy of 50%. That is the how the Dunning Kruger Effect works, and that is why it's a psychological phenomenon.

Risk of clicking a phishing link

What The Dunning Kruger Effect also shows is that the people that are most at risk of clicking a phishing link (in the lowest quartile or 0%-25% of skill), almost always think they are above average. And in some cases, as with the skills study in the original report where they measured ability to spot grammar, your employees may score themselves higher than the 2nd and 3rd quartiles.

Here is a snippet from the original report:

This means that if the Dunning Kruger Effect holds true to its universal physiological findings, your most ill-equipped employees have more confidence in their ability to spot an Internet scam than those who are truly above average.

The report concludes that only training and education can safeguard you from this natural human psychological phenomenon. The more training and expertise you have in a skill or ability, the more realistic you get with your confidence in that ability.

Here is a great illustration that demonstrates confidence & expertise.

Does this mean that everyone in your company needs to go through a cybersecurity training? It certainly doesn't hurt. But at the very least, the worst employees at spotting a cybersecurity phishing scam should.

We have a tool that provides security awareness training only those who are most likely to click on a phishy link. This is because the training happens in real time, after they click a fake phishing link. This helps to lower the confidence in the people who need the most training and put them in a position to skill up on spotting phishing scams.

Risk in how passwords are managed

You will also find the Dunning Kruger Effect at play when it comes to password security practices. According to a 2012 CSID Consumer Survey, 89% of consumers felt secure with their current password management and use habits, but 61% admitted to using their passwords across multiple websites.

2) Your IT Consultants

The next group of people who are prone to The Dunning Kruger Effect and thereby put your cybersecurity at risk is any consultant or company you have hired to manage and advise your cybersecurity policies, spam filters, and firewalls. These are IT management companies, solo IT consultants, small technology consulting firms, and of the like. If you were to survey all the CEOs across a broad grouping of companies that you might consider for managed IT and technical support, you will find the Dunning Kruger Effect at play. Almost everyone will score themselves above average compared to their peers.

This will happen for two reasons. One, the way that small companies (especially solo practitioners) get ahead is by "faking it till making it". They essentially have to trick themselves and inflate their confidence in order to win business. But let's put this point aside for now and look at the Dunning Kruger Effect at play.

The more common reason you have over-confidence in incompetent IT professionals is that they REALLY believe that they are great.

Some IT consultants believe this because they have little to no actual experience building effective and proven processes from the ground up. But an even bigger reason is that they don't have 50 other computer engineers that they work next to with varying skills and abilities constantly reminding them that maybe others know way more stuff about computers then they do.

And just like with spotting phishing schemes, the only thing that will help them have a more realistic self-assessment about where they stand on spectrum of poor IT support to great IT support is training and education.

Among the people with the least amount of skill, their confidence level is extremely high. As they gain skills and knowledge and, most importantly, spend ample time with peers in a harmonious work environment, their confidence deflates to it's appropriate level. So they can better assess where their skills and abilities are at and not do something stupid that ruins your business.

This is why usually if you have a consideration set of vendors, you will find both incompetent vendors and competent vendors, because you usually hire based on trust. And that trust is built on the confidence of the IT company.

Which brings us to another aspect of this cybersecurity threat that affects whether or not your experience a cybersecurity disaster or not in the next few years: you.

3) You

Your ability to select an IT vendor accurately and adequately may be suffering from The Dunning Kruger Effect. Remember, The Dunning Kruger Effect affects all of us in almost every way. There are a good handful of things that you are truly above average in, probably hundreds, but then there are thousands of things that you are not above average in. Even still, if I were to survey you and ask you how you compare to your peers in selecting an IT vendor, six or more readers out of ten will list themselves above average. I didn't make that number up, it's a Dunning Kruger Effect law. On average we tend to over-estimate our abilities. The only exception is when we truly are the best at it (fourth quartile or 75%-100%).

Because selecting the right IT vendor has everything to do with your cybersecurity, getting this one piece right is crucial. These are the computer engineers and IT consultants who will setup, retool, outfit, advise, install, and maintain your computer network. You cannot get closer to cybersecurity than that.

So, if you are reading this far down, you are most likely in past a place of ignorant thinking and in a place to learn. We created a resource helps people purchasing IT services get a better idea of what things to look out for when selecting an IT vendor. How do you spot a bad one from a good one? Well, there are simple things you can do to look past the over-confidence of incompetent IT companies. If you have ever done business with an over-confident vendor that looked good on paper and in a discovery meeting, to find that you made a mistake, then you know the pain. You are welcome to download a copy of our whitepaper on how to select the right IT vendor. Too much "expertise" in this area is never a bad idea.

Conclusion

Nobody is immune to The Dunning Kruger Effect. Not even me. After all, I am a business professional who is writing about psychology, and I work with an army of computer engineers who live and breathe computer technology. Even still, I sometimes I have a computer problem and try to troubleshoot it myself. Something that takes them 15 minutes consumes my entire morning. I'm better off accepting that I am below average when it comes to computer support.

Embarrassing, I know.

There are many other things that I'm overly confident in. I'm not exactly sure what most of these things are, but the surest way for me to discover what they might be is education. Generally, I want people to be self-confident. But when it comes to The Dunning Kruger Effect, I actually encourage deflated egos. This is the only way that we can come to a place of learning and skilling-up in our workplace effectiveness and reasoning, and not fall pray to cybersecurity vulnerabilities. I hope that this article has been a useful perspective on our psychology in relation to cybersecurity.