Applying System 2 thinking to Digital Security

The best-selling book “Thinking Fast and Slow” by Daniel Kahneman suggests that humans exhibit two types of thinking – System 1 and System 2.

System 1 is our rapid, automatic, intuitive response – for example, if I showed you a picture of a cat, you’d recognise instantly what it was.  System 2 is slower and requires concentration – working out a complex calculation for instance.  And as we are generally time-poor and prefer taking the easier option, we will default to System 1 thinking given a choice.

So how does this relate to security?

Working out the costs and risks of security is complex.  Calculating the value of digital assets, evaluating the right security posture for a business, balancing cost with appropriate access levels for users, implementing effective policies – all that is undoubtedly hard.  Very much System 2 thinking.

Yet signing up employees for security awareness training is a relatively simple action – a “tick in the box” exercise if it is not supported by the ongoing measurement, tools and behaviour change that is required to make good security hygiene stick.

Purchasing a cyber insurance policy is also relatively simple, System 1 thinking.  The insurance company does the hard System 2 work of evaluating your risk profile and insurance premium and takes a large part of the risk.  The business just needs to consider whether the insurance premium and corresponding cover is sufficient to compensate for the potential costs of a breach.

A number of reports[1] predict average annual growth rates in the US cyber insurance market of c. 30% CAGR (compared to c.10% across all cyber security) and a global market size of $20bn by 2025.  So cyber insurance is growing nearly three times faster than the market for the cyber services that prevent breaches and attacks in the first place!

Cyber insurance – System 1 or System 2 thinking?

Cyber insurance has a role to play as part of an overall risk mitigation strategy and to reduce shareholder risk.  But it should be the last line of mitigation, not the first line of cyber defence.

The loss of data records has a wider impact.  Not just on the brand name of the company affected, but on the individuals whose passwords, accounts and personal data may have been compromised.

We need to continue applying System 2 thinking in order to combat the increasing volume and sophistication of cyber threats.  For example, measuring the ongoing success of security awareness programmes in creating an embedded security conscious culture and behaviours;  investing in the more complex task of commissioning cyber defence services that aim to prevent attacks happening.

Strong cyber defences – protects digital assets and helps business growth

Strong cyber defences that comply with regulations will also mitigate the risk of fines.  And they can help grow revenues.  A 2018 study by Cap Gemini [2] showed that 40% of consumers would be willing to increase their online spend by 20% or more, if their retailer gave them assurances which built trust.

Tailored insurance premiums to reflect each organisation’s real efforts to minimise cyber attacks

Cyber insurers are maturing their policies to reflect the security posture and risk profile of their clients, and the value of the assets being insured.  Organisations are receiving tailored insurance premiums that incentivise and reflect the good security practices which should be their primary focus.

It is also likely that fines for some risks (GDPR non-compliance for example) won’t be insurable as they will fall into the category of statutory penalties or criminal sanctions that can’t be recovered from insurers.  Organisations will need to invest in proper GDPR compliance programmes in order to avoid penalties.

Business level granularity is important.  A 2018 study by Ponemon[3] showed the costs of a data breach varied by geography and by industry – the average cost of a compromised record across all industries was $148, but this rose to $408 for a healthcare record. (See Figure 1 below).  And the average total cost of a data breach to an organisation in 2018 was $3.86m.


Figure 1 Per record cost by industry

The report also identified 22 organisation-level components which could increase or reduce the cost impact of a data breach.  Effective employee awareness training, a rapid incident response team, participation in threat sharing and effective use of encryption for example, can together reduce the impact of a breach by around 40%.  (See Figure 2 below)

Fig 2

Figure 2 Impact of 22 factors on the per record cost of a data breach

Advice on the right investments to provide confidence in combatting a cyber attack or data breach

Sopra Steria works with public and private sector organisations to help them evaluate their cyber risk profile.  We also assist them communicate the costs and benefits of cyber security to senior decision makers. This includes helping organisations to take actions that minimise the likelihood and impact of a breach, as well as minimise the costs of any insurance that they may take out.

Please get in touch if you would like to discuss how we can help you take a System 2 approach to your cyber security strategy; and how we can help you grow your business by providing reassurance to your customers, staff and stakeholders, that their data is protected by real and considered cyber defence investments.

Watch Alex Henneberg talk about System 2 Thinking



[2] Cybersecurity: The new source of competitive advantage for retailers

[3] Ponemon Institute:

Three key levers to combat cyber crime

Sopra Steria’s vision for digital security is to improve people’s lives.  We’re aiming to do this by reducing cybercrime, protecting our customers’ digital assets, and by enabling organisations to engage with their customers and citizens in the most frictionless way possible.

To deliver the vision we are focussing on three key levers – collaboration, innovation and “Security by Design”.

Collaboration is key

If public agencies, private sector security providers, and in-house cyber teams can share security research and threat intelligence, we can maximise security budgets, avoid duplicated effort, and collectively detect and prevent criminal activity much earlier.

A recent report (Ponemon Institute: 2018 Cost of Data Breach Study) found that breaches that took over 100 days to identify, cost organisations nearly 40% more than those identified in under 100 days. And breaches that were contained in under 30 days saved organisations c. £1m per breach, compared to those that took more than 30 days to resolve.  There are certainly opportunities for quick wins by working together.

The size of the Cyber crime problem

The costs of cybercrime are now so vast, that if we only do what we think is necessary at our individual, business or national level we will fall short of the significant challenge facing us.

In  2014, the cost to the global economy of cyber crime was $400bn.  It is now running at $600bn per year – that’s greater than the GDP of 80% of all countries in the world.

In the UK, Cybercrime cost businesses over £30bn last year, yet the UK market spend on cyber services was around £3bn, barely 10% of the cost to the economy of cybercrime.

The threat to UK businesses is growing – A 2017 study by Beaming discovered that UK businesses each experienced an average of over 600 attempts a day to breach their corporate firewalls – 30% more than 2 years earlier.

And according to a 2018 report by Positive Technologies, cyber crime services can be purchased on the dark web at shockingly low rates – $40 for a hacking email; $50 for a Distributed Denial of Service attack; $750 for infecting an organisation with ransomware.

Gartner estimate that spending on security and risk management should be around 4-7% of an organisation’s overall IT budget.  Innovation can help this budget go further.


New cyber services are constantly being developed by thousands of security vendors worldwide. By working with resellers and outsource service providers who have their own horizon-scanning and integration capabilities, organisations can discover and test these developments.  They include applying capabilities like AI and machine learning to orchestrate and automate security operations; and establishing security roadmaps that maximise security investments.

The same Ponemon study saw organisations that deployed an AI security platform save an average of £130k (5%) against the average cost of a breach. Organisations that fully deployed security automation, including the use of AI and analytics, reduced the average cost of a breach by over £1m.  Yet in the UK, only 10% of the surveyed companies had fully deployed such security automation.

We also need to explore technologies like blockchain that have security built in to their core.  Sopra Steria has developed a number of Proof of Concepts that use the inherent trust, confidentiality and provenance of distributed ledger technologies to track assets, manage logistics and record transactions in a more efficient manner.

Security by Design

The security industry mantra is to design applications and services with security controls that are baked in, not bolted on – particularly relevant when developing solutions that incorporate third party IoT devices. Examples include testing application vulnerabilities at each stage of the development process; regularly assessing the value of organisation data; and understanding the relationships between that data and accompanying systems and business processes.

Should CIA grow up… to CIPPA?

Cyber attacks have typically targeted the Confidentiality, Integrity and Availability (CIA) of networks and data.  We should now add Privacy and Provenance as security considerations, following the recent Cambridge Analytica/Facebook scandal, new GDPR regulations,  and the ability for home hub devices to “accidentally” record private conversations; not to mention the rise in counterfeit goods, video mimicry and “fake news”.  CIA should now be CIPPA…   

Aiming to make tomorrow better than today

Sopra Steria’s digital security vision is to improve lives by reducing cyber crime and enabling organisations to create more reliable and secure digital services.  Please get in touch if you’d like to explore opportunities for collaboration or to share innovative ideas, so that together we are better able to tackle and reduce cyber crime.