Cybersecurity is usually seen as a technical problem. There are security controls, detection logic, encryption, and other pretty technical concepts. However, at the core, it remains a human issue: users making quick decisions under pressure, analysts triaging endless alerts, and executives deciding on trade-offs. Most of the time when I hear security people discuss human behavior, the conversation is centered around how we need to train, educate, and test people, or even more fun, turn them into “human firewalls”. What gets lost is that the human mind is not purely rational, and a lot of how we see the world and how we behave is shaped by the patterns that psychology calls cognitive biases.

I have long been fascinated by how biases impact our decision-making. Many years ago, I went super deep into reading Daniel Kahneman, Dan Ariely, and Richard H. Thaler, among others. As a product leader whose job has been to work with different stakeholders and to build products people love, I found behavioral economics and decision science incredibly useful. Years later, when I moved into cybersecurity, I was (and still am) surprised by how little discussion there is about behavioral science and its role in cyber. This is going to be the focus of this week’s article. This piece is going to be different because it’ll refer to a lot of other sources (I am not a psychologist, only an enthusiast and someone passionate about this topic).

This issue is brought to you by… Permiso.

Permiso’s new ITDR playbook: turn identity blind spots into detection wins.

We’ve broken down the 5 categories of authentication anomalies that catch the vast majority of identity attacks and paired them with ready-to-use detection rules and thresholds. No guesswork, just practical implementation guidance.

Why it matters:

• Detection rates for compromised identities have dropped from 90% to 60% in the past year.

• Attackers don’t need to break in: 90% of successful breaches start with logging in.

• Once inside, they can begin lateral movement in as little as 30 minutes.

This playbook shows how to close that gap with risk-based response procedures and investigation workflows that actually work in practice.

Start detecting what others miss, and grab your copy today.

Cognitive biases 101

Here’s how Wikipedia defines cognitive biases: “A cognitive bias is a systematic pattern of deviation from norm or rationality in judgment. Individuals create their own 'subjective reality' from ...