This talk will examine the dynamics of the information security industry through the lens of behavioral economics. Traditional ways of thinking about defensive and offensive motivations focus on models such as game theory, which tend to assume the people on each side are “rational” actors. However, humans are predisposed to incorporate cognitive biases into their decision making, leading to “irrational” behaviors that are better described by behavioral models.
I'll explore what biases defenders and attackers have when they make decisions, and how these insights can be leveraged to improve defensive efficacy. In particular, I’ll discuss the implications of behavioral economics theories such as Prospect Theory, time inconsistency and dual-process theory and their explanatory power for why the industry dynamics are the way they are.