Applying System 2 thinking to Digital Security

The best-selling book “Thinking Fast and Slow” by Daniel Kahneman suggests that humans exhibit two types of thinking – System 1 and System 2.

System 1 is our rapid, automatic, intuitive response – for example, if I showed you a picture of a cat, you’d recognise instantly what it was.  System 2 is slower and requires concentration – working out a complex calculation for instance.  And as we are generally time-poor and prefer taking the easier option, we will default to System 1 thinking given a choice.

So how does this relate to security?

Working out the costs and risks of security is complex.  Calculating the value of digital assets, evaluating the right security posture for a business, balancing cost with appropriate access levels for users, implementing effective policies – all that is undoubtedly hard.  Very much System 2 thinking.

Yet signing up employees for security awareness training is a relatively simple action – a “tick in the box” exercise if it is not supported by the ongoing measurement, tools and behaviour change that is required to make good security hygiene stick.

Purchasing a cyber insurance policy is also relatively simple, System 1 thinking.  The insurance company does the hard System 2 work of evaluating your risk profile and insurance premium and takes a large part of the risk.  The business just needs to consider whether the insurance premium and corresponding cover is sufficient to compensate for the potential costs of a breach.

A number of reports[1] predict average annual growth rates in the US cyber insurance market of c. 30% CAGR (compared to c.10% across all cyber security) and a global market size of $20bn by 2025.  So cyber insurance is growing nearly three times faster than the market for the cyber services that prevent breaches and attacks in the first place!

Cyber insurance – System 1 or System 2 thinking?

Cyber insurance has a role to play as part of an overall risk mitigation strategy and to reduce shareholder risk.  But it should be the last line of mitigation, not the first line of cyber defence.

The loss of data records has a wider impact.  Not just on the brand name of the company affected, but on the individuals whose passwords, accounts and personal data may have been compromised.

We need to continue applying System 2 thinking in order to combat the increasing volume and sophistication of cyber threats.  For example, measuring the ongoing success of security awareness programmes in creating an embedded security conscious culture and behaviours;  investing in the more complex task of commissioning cyber defence services that aim to prevent attacks happening.

Strong cyber defences – protects digital assets and helps business growth

Strong cyber defences that comply with regulations will also mitigate the risk of fines.  And they can help grow revenues.  A 2018 study by Cap Gemini [2] showed that 40% of consumers would be willing to increase their online spend by 20% or more, if their retailer gave them assurances which built trust.

Tailored insurance premiums to reflect each organisation’s real efforts to minimise cyber attacks

Cyber insurers are maturing their policies to reflect the security posture and risk profile of their clients, and the value of the assets being insured.  Organisations are receiving tailored insurance premiums that incentivise and reflect the good security practices which should be their primary focus.

It is also likely that fines for some risks (GDPR non-compliance for example) won’t be insurable as they will fall into the category of statutory penalties or criminal sanctions that can’t be recovered from insurers.  Organisations will need to invest in proper GDPR compliance programmes in order to avoid penalties.

Business level granularity is important.  A 2018 study by Ponemon[3] showed the costs of a data breach varied by geography and by industry – the average cost of a compromised record across all industries was $148, but this rose to $408 for a healthcare record. (See Figure 1 below).  And the average total cost of a data breach to an organisation in 2018 was $3.86m.


Figure 1 Per record cost by industry

The report also identified 22 organisation-level components which could increase or reduce the cost impact of a data breach.  Effective employee awareness training, a rapid incident response team, participation in threat sharing and effective use of encryption for example, can together reduce the impact of a breach by around 40%.  (See Figure 2 below)

Fig 2

Figure 2 Impact of 22 factors on the per record cost of a data breach

Advice on the right investments to provide confidence in combatting a cyber attack or data breach

Sopra Steria works with public and private sector organisations to help them evaluate their cyber risk profile.  We also assist them communicate the costs and benefits of cyber security to senior decision makers. This includes helping organisations to take actions that minimise the likelihood and impact of a breach, as well as minimise the costs of any insurance that they may take out.

Please get in touch if you would like to discuss how we can help you take a System 2 approach to your cyber security strategy; and how we can help you grow your business by providing reassurance to your customers, staff and stakeholders, that their data is protected by real and considered cyber defence investments.

Watch Alex Henneberg talk about System 2 Thinking



[2] Cybersecurity: The new source of competitive advantage for retailers

[3] Ponemon Institute:

Got a great idea? Come and play in the sandbox!

It’s all change in banking!  I’ve worked in Banking IT for more than 20 years and never has the pace of change been so quick.  Now, rather than the traditional ‘Big Names’ always coming up with new ideas and technologies, new start ups and FinTech’s are seriously getting in on the game.  The rapid developments in Coding languages, IAAS (Infrastructure as a Service), the falling cost of IT and new, innovative and highly collaborative ways of working has meant that Innovators can develop new technologies using real user data to design and develop existing, highly desirable services and solution – and get them to market in record time.

A major catalyst is the European Open Banking Directive.  This encourages new, disruptive players to get involved to develop and deliver new Banking functionality which is outside of what would be considered traditional Bank servicing.

What’s more, the UK Open Banking Implementation organisation has developed an agreed set of API’s (Application Programming Interface) that TPP (Third Party Providers) can utilise to access Bank data. This means that both the Banks and FinTechs have the opportunity to exploit and develop new Applications to compare banking Product sets and aggregate Customer and Account data across the Banks.

So how should a FinTech with a great application idea (and a brilliant team) get started?

Today, Industry sandboxes offer a new way forward.  FinTech’s can now develop, test and prove ideas, producing a robust Proof of Concept using an industry sandbox.   A sandbox enables start ups with new product ideas to accelerate development and testing using test bank data so that innovative ideas can get to market quickly and cost effectively.  Many established banks are getting in on the ‘sandbox’ initiative, Danske Lloyds and Nationwide all have a Developer Portal giving access to code examples and other helpful documentation.  Leading banks including Allied Irish, Barclays and Royal Bank of Scotland have all invested in Sandbox technology which FinTech’s can access.  This means that FinTechs can prove API’s work with Industry approved data, using Production like Test Data always throws up Use Cases that you did not consider.

New entrants are also making it easier to get involved. Avaloq and Starling Bank actively encourage innovation with their Developer Platforms.  Both deliver access to their test data and have a wealth of documentation with a  much greater range of functionality.  Starling even let individuals test by accessing personal own account to prove instant value and engagement. Not sure where to start?  Why not take a look at GITHUB. It has code examples, collaboration projects to listen, learn and grow ideas and discussion forums covering every stage of the development lifecycle.

Or why not check out Open Bank Project Berlin?  This Project is the leading Open Source API and App store for Banks. It’s open source APIs and surrounding ecosystem of tools, together with a pro-active Fintech developer community helps banks rapidly engage with the next generation innovators safely and securely.

You know that brilliant idea you had last night? What’s stopping you?

Sopra Steria to host 2 internal hackathons in Edinburgh and Glasgow!

Sopra Steria are hosting 2 internal hackathons this week across our Edinburgh and Glasgow offices where participants will be making use of DevOps tooling to deploy and manage applications on InnerShift. InnerShift is Sopra Steria’s internal container platform based on Red Hat OpenShift and will be used to facilitate the deployment and management of containers, standalone pieces of software that include everything needed to be able to run an application – from code and runtime to system tools, libraries and settings.

Attendees will work in teams of 3-4 people and will have 3 hours to work through a list of pre-defined objectives such as deployment through source to image and the creation of CI/CD pipelines. The teams will be required to make changes to their application/InnerShift to make use of some of the rich feature sets available within the platform. The teams will be encouraged to work together and experienced Sopra Steria architects will be in attendance to support and help with any issues that may arise.

The main aim of these events is to help our employees upskill in the area of DevOps/OpenShift and facilitate knowledge transfer from more experienced employees to members of staff who may be new to the company or who may not have worked with OpenShift before. The events are open to all colleagues and our RSVPs so far range from graduates and developers to business analysts and UX consultants.

Sopra Steria are always working to roll out innovation across the organisation and we are sure that the output of these events will help to establish innovative uses of technology that we can share with both coworkers and clients alike. A blog will be published on the Sopra Steria website post-event that will discuss the content of the evenings – watch this space!

Don’t fear the RPA!

The Digital Revolution is upon us and the reality is that it will bring change we simply cannot afford to ignore.

Humankind has constantly striven to find new, better ways of living and working. The industrial revolution introduced new ways of working to a society relying on physical labour alone and the results – cheaper goods, improved transportation, safer factories, better working conditions and evolved communications – set the tone for a period of continuous improvement moving forward.  Throughout the 19th and 20th Centuries, the pace of change increased; developments in cars, fuels, heating, atomic power, plastics and synthetics have improved countless lives and this drive to constantly enhance and improve has continued.

Industry 4.0 concept. Man is holding tablet to control smart factory manufacturing line which is equipped with sensors and robotic arm. industrial automation line.

When the manufacturing industry adopted automation 20 years ago it was seen as truly revolutionary, bringing new, more efficient ways of working.  Doomsayers warned of jobs being lost but in fact, quality increased and competition flourished.   Outsourcing was another big change but each time the market quickly adapted, leading to a service oriented industry that has since generated millions of brand new jobs.  It’s a fact that what was once seen as truly innovative is soon seen as commonplace and ‘business as usual’.

Today, the seismic change is Digital.  It’s remarkable to consider that it’s only 10 years since the smart phone was invented  – but since then, Facebook, Twitter, Instagram and Linked in have emerged and Amazon, Uber, mobile banking and even online gaming have become daily realities of life.  The whole way we live, work and socialise is undergoing truly transformational change and the pace of that change is most definitely speeding up rather than slowing down.  The reassuring element however is that each time change comes, the new way doesn’t dominate – instead it augments and enhances the previous approach, introducing totally new ways of thinking.

So what’s the next big ‘game changer’? Robotic Process Automation (RPA) is the ‘new’ hot topic of the Digital era, offering huge advantages to business and society alike.  For business leaders – RPA delivers a more efficient, streamlined and cost effective business operation; for individuals – it offers the opportunity for more interesting, fulfilling and less repetitive jobs.  RPA empowers business leaders to automate manual tasks and simple ‘rules based’ activities freeing up staff to undertake more interesting and challenging activities – a true win-win!

Curiously, despite the rise of digitally enabled and automated application processes, many organisational activities in banks and investment companies today are still manually driven.  For example, across the Credit Risk lifecycle, manual data entry and manual data processing remains surprisingly prevalent at certain stages of the decisioning process.  In addition, for many Retail and almost all wholesale credit applications, decisions are manually underwritten.  Using RPA, a virtual workforce can augment processes undertaken across the Credit Risk lifecycle to deliver increased quality, improved accuracy and greater consistency 24/7 – reducing the risk of non-compliance and delivering a more responsive customer experience.

So don’t fear the digital revolution, now is the time to jump on board and embrace it.   Click here to find out how we do it at Sopra Steria.