Understanding and overcoming cyber security anti-patterns

This article presents an empirical and practice-based analysis of the question, why despite substantial investments, there are still major security weaknesses in today’s information systems. Acknowledging that cyber security is not a purely technical discipline, the article takes a holistic approach and identifies four anti-patterns that are frequent in practice and detrimental to the goal of achieving strong cyber security. The first anti-pattern is that decisions about security are frequently based on intuition rather than data and rigor; this introduces cognitive biases and undermines decision quality. Second, many organizations fail to implement foundational security controls and consequently, are easy targets for opportunistic and novice attackers. Third, there is an overreliance on the relatively static threat knowledge in products such as virus scanners, while an inability to learn and adapt dynamically opens the door for advanced threats. Fourth, weaknesses in security governance create systemic control gaps and vulnerabilities. The article describes each anti-pattern and presents specific steps that organizations can take to overcome them.