Applying System 2 thinking to Digital Security

The best-selling book “Thinking Fast and Slow” by Daniel Kahneman suggests that humans exhibit two types of thinking – System 1 and System 2.

System 1 is our rapid, automatic, intuitive response – for example, if I showed you a picture of a cat, you’d recognise instantly what it was.  System 2 is slower and requires concentration – working out a complex calculation for instance.  And as we are generally time-poor and prefer taking the easier option, we will default to System 1 thinking given a choice.

So how does this relate to security?

Working out the costs and risks of security is complex.  Calculating the value of digital assets, evaluating the right security posture for a business, balancing cost with appropriate access levels for users, implementing effective policies – all that is undoubtedly hard.  Very much System 2 thinking.

Yet signing up employees for security awareness training is a relatively simple action – a “tick in the box” exercise if it is not supported by the ongoing measurement, tools and behaviour change that is required to make good security hygiene stick.

Purchasing a cyber insurance policy is also relatively simple, System 1 thinking.  The insurance company does the hard System 2 work of evaluating your risk profile and insurance premium and takes a large part of the risk.  The business just needs to consider whether the insurance premium and corresponding cover is sufficient to compensate for the potential costs of a breach.

A number of reports[1] predict average annual growth rates in the US cyber insurance market of c. 30% CAGR (compared to c.10% across all cyber security) and a global market size of $20bn by 2025.  So cyber insurance is growing nearly three times faster than the market for the cyber services that prevent breaches and attacks in the first place!

Cyber insurance – System 1 or System 2 thinking?

Cyber insurance has a role to play as part of an overall risk mitigation strategy and to reduce shareholder risk.  But it should be the last line of mitigation, not the first line of cyber defence.

The loss of data records has a wider impact.  Not just on the brand name of the company affected, but on the individuals whose passwords, accounts and personal data may have been compromised.

We need to continue applying System 2 thinking in order to combat the increasing volume and sophistication of cyber threats.  For example, measuring the ongoing success of security awareness programmes in creating an embedded security conscious culture and behaviours;  investing in the more complex task of commissioning cyber defence services that aim to prevent attacks happening.

Strong cyber defences – protects digital assets and helps business growth

Strong cyber defences that comply with regulations will also mitigate the risk of fines.  And they can help grow revenues.  A 2018 study by Cap Gemini [2] showed that 40% of consumers would be willing to increase their online spend by 20% or more, if their retailer gave them assurances which built trust.

Tailored insurance premiums to reflect each organisation’s real efforts to minimise cyber attacks

Cyber insurers are maturing their policies to reflect the security posture and risk profile of their clients, and the value of the assets being insured.  Organisations are receiving tailored insurance premiums that incentivise and reflect the good security practices which should be their primary focus.

It is also likely that fines for some risks (GDPR non-compliance for example) won’t be insurable as they will fall into the category of statutory penalties or criminal sanctions that can’t be recovered from insurers.  Organisations will need to invest in proper GDPR compliance programmes in order to avoid penalties.

Business level granularity is important.  A 2018 study by Ponemon[3] showed the costs of a data breach varied by geography and by industry – the average cost of a compromised record across all industries was $148, but this rose to $408 for a healthcare record. (See Figure 1 below).  And the average total cost of a data breach to an organisation in 2018 was $3.86m.


Figure 1 Per record cost by industry

The report also identified 22 organisation-level components which could increase or reduce the cost impact of a data breach.  Effective employee awareness training, a rapid incident response team, participation in threat sharing and effective use of encryption for example, can together reduce the impact of a breach by around 40%.  (See Figure 2 below)

Fig 2

Figure 2 Impact of 22 factors on the per record cost of a data breach

Advice on the right investments to provide confidence in combatting a cyber attack or data breach

Sopra Steria works with public and private sector organisations to help them evaluate their cyber risk profile.  We also assist them communicate the costs and benefits of cyber security to senior decision makers. This includes helping organisations to take actions that minimise the likelihood and impact of a breach, as well as minimise the costs of any insurance that they may take out.

Please get in touch if you would like to discuss how we can help you take a System 2 approach to your cyber security strategy; and how we can help you grow your business by providing reassurance to your customers, staff and stakeholders, that their data is protected by real and considered cyber defence investments.

Watch Alex Henneberg talk about System 2 Thinking



[2] Cybersecurity: The new source of competitive advantage for retailers

[3] Ponemon Institute:

Published by

Alex Henneberg

Committed to tackling cybercrime and to help organisations develop secure, digital services for their staff, citizens and customers. Keen to engage with partners to create propositions that connect people, things and processes in as automated, intelligent and frictionless way as possible.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.