Information Security Management, 2nd Edition by Michael Workman

12.5 Heuristic Biases and Security Planning

As we have presented, technology managers and other decision-makers typically have at their disposal data collections, reasoning systems, and AI decision applications that can generate probabilistic estimates and provide recommendations for courses of action based on threat vectors and surfaces, yet sometimes people choose intuition over information and evidence provided by these technologies. A study by Workman, for example, showed that some people ignore the recommendations of AI decision systems even when the systems are shown to be effective in reducing the number of human-induced errors.¹⁵ This can lead to unfortunate consequences and poor decisions.