Why We Keep Losing Despite Stronger Security Controls
Over the past three years, businesses have almost doubled their confidence in cybersecurity—rising from 32% in 2021 to 54% in 2024 (The Global Cost of Ransomware Study, 2025). Despite this, ransomware’s impact has only grown: 40% of affected companies suffered significant revenue losses, 58% experienced operational downtime, and 51% paid the ransom—but only 13% recovered all their data (The Global Cost of Ransomware Study, 2025).
If security tools are improving, why are businesses still losing? The answer lies not just in technology, but in human decision-making errors. Cybersecurity strategies are often shaped by faulty assumptions, cognitive biases, and misjudged priorities rather than objective risk assessments.
This article explores three critical thinking errors that contribute to poor security decisions:
- Survivorship Bias makes organizations believe that their security is strong simply because they haven’t been attacked—ignoring vulnerabilities that have taken down others.
- Run Toward the Roar causes companies to focus on high-profile threats while overlooking quieter, more dangerous attack vectors.
- Cargo Cult Security leads businesses to copy industry best practices without truly understanding their effectiveness.
These are just a few of the cognitive and decision-making biases that influence security strategies. Other biases—such as the Overconfidence Effect, Availability Heuristic, and Normalization of Deviance—also play a role in security failures. Each of these could be the topic of its own article.
Thinking Errors That Weaken Cybersecurity
Survivorship Bias: Why "We’ve Never Been Hacked" is a Dangerous Assumption
During World War II, military engineers analyzed returning bombers, reinforcing areas riddled with bullet holes. But statistician Abraham Wald saw a flaw: the planes that never returned were the ones hit in critical areas—the engines and cockpit. The missing data led to misplaced reinforcements.
Cybersecurity suffers from the same illusion. Many companies assume they’re secure simply because they haven’t yet suffered an attack. However, they fail to see the organizations that were breached and didn’t survive. Their survival isn’t proof of security—it’s just proof they haven’t been tested yet.
This selective perception leads to dangerous complacency. Instead of focusing on real security gaps, companies continue operating under false confidence, often ignoring warnings from security teams. This is especially concerning given that 52% of ransomware attacks exploit unpatched systems, a 180% increase from previous years (The Global Cost of Ransomware Study, 2025).
Run Toward the Roar: Misjudging Where the Real Danger Lies
In the wild, old lions roar to drive prey into the waiting jaws of younger, silent hunters. The oldest, weakest lion stands at one side of the prey, while the strongest, fastest lions hide in the tall grass on the opposite side. The old lion lets out a loud roar, scaring the prey—right into the waiting jaws of the real threat. Cybercriminals use the same trick: while companies focus on headline-grabbing ransomware strains, attackers exploit overlooked weaknesses—stolen credentials, unpatched software, and misconfigured remote access.
After the Colonial Pipeline attack in 2021, many companies invested heavily in ransomware-specific defenses, but neglected basic security hygiene—like securing RDP access, enforcing MFA, and applying patches. The result? Millions spent on defenses for yesterday’s threats, while the real attack vectors remained exposed (The Global Cost of Ransomware Study, 2025).
This pattern reflects a systematic misjudgment of risk. Organizations tend to react to high-profile threats instead of analyzing actual attack patterns and adapting accordingly. This is further supported by the 2024 State of Threat Intelligence Report, which found that organizations continue to prioritize investment in perimeter defenses, while attackers shift to targeting identity-based attacks, leveraging stolen credentials in 61% of breaches („2024 State of Threat Intelligence“, 2024).
Cargo Cult Security: Imitating Without Understanding
After World War II, islanders who had witnessed Allied soldiers receiving supplies built wooden airstrips and wore coconut shell "headsets", hoping to summon cargo planes back. They mimicked the form without understanding the function—a perfect analogy for many cybersecurity programs today.
SMEs often adopt security measures because industry leaders do, rather than based on their actual threat landscape. For example, many companies deploy MFA for executives but leave IT admin accounts unprotected—even though attackers target privileged accounts first. Others invest in AI security tools without clear implementation strategies.
Cargo Cult Security is not a cognitive bias, but rather a misunderstood cause-effect relationship. It represents the assumption that imitating security controls leads to actual protection, when in reality, security effectiveness depends on contextual implementation and risk-based prioritization.
How Decision-Making Errors Create Blind Spots in Cybersecurity
These thinking errors don’t just distort individual decisions—they shape entire security strategies, leading to overconfidence and misplaced priorities. Attackers exploit these blind spots, knowing that most companies will focus on visible risks rather than hidden ones.
-
The Myth of "Unbreachable" Systems (Survivorship Bias)
Many organizations believe their security is strong simply because they haven’t been breached. The reality? 68% of breaches involve human error, such as misconfiguration or phishing (The Global Cost of Ransomware Study, 2025). -
Chasing High-Profile Threats While Ignoring Fundamentals (Run Toward the Roar)
Ransomware gangs shift their tactics faster than defenses evolve. For example, cached credential attacks rose from 42% in 2021 to 48% in 2024, yet many companies still prioritize outdated perimeter defenses („2024 State of Threat Intelligence“, 2024). -
False Security Through Imitation (Cargo Cult Security)
A security tool is only as effective as its implementation. Many SMEs invest in expensive security stacks but lack segmentation, privilege controls, and real response strategies—rendering their defenses superficial.
Fixing Security Awareness: Rethinking Employee Training
Employee training is one of the most cost-effective cybersecurity investments—yet many awareness programs fail because they reinforce cognitive biases rather than correct them.
The Author’s Bias: Why Awareness Training?
I must acknowledge my own bias in advocating for awareness training. As someone deeply engaged in the human factor of cybersecurity, I naturally emphasize psychological and behavioral approaches. However, security is not solved through awareness alone—technical controls, automation, and network segmentation are just as critical.
Stop Measuring Click Rates—Measure Response Time Instead
Most phishing simulations track click rates, punishing employees who fail tests. This creates a culture of fear, where employees hide mistakes rather than report threats.
Better metrics for phishing awareness:
- Time-to-report: How quickly users flag phishing attempts.
- Reporting rate: Percentage of employees who actively report suspicious emails.
- Escalation effectiveness: How fast security teams respond to reported threats.
Final Thoughts: Security Is a System, Not a Checklist
Cybersecurity failures often stem from how we think about security, not just what tools we use. Survivorship Bias, misplaced priorities, and blind imitation create systematic blind spots that attackers exploit.
At the same time, this article only scratches the surface. Future discussions should explore the Overconfidence Effect, Availability Heuristic, and Normalization of Deviance—all of which shape security decisions in profound ways.
By challenging assumptions, measuring security effectively, and shifting to proactive defense, businesses can move from reactive security to true resilience.
Because in cybersecurity, luck is not a strategy.
References & Further Reading
- 2024 State of Threat Intelligence. (2024). Recorded Future. https://go.recordedfuture.com/2024-state-of-threat-intelligence
- Die Lage der IT-Sicherheit in Deutschland 2024. (2024). Bundesamt für Sicherheit in der Informationstechnik (BSI). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2024.html
- The Global Cost of Ransomware Study. (2025, January). illumio. https://www.illumio.com/resource-center/cost-of-ransomware
- Taleb, N. (2007). The Black Swan: The Impact of the Highly Improbable.
- Cialdini, R. B. (2007). Influence: The Psychology of Persuasion.