There’s one cognitive bias that we people are vulnerable to, and it lies on the centre of a number of the challenges that cybersecurity professionals face each day. It’s generally known as the normalcy bias – what Dr. Lauren Braithwaite defines as “our tendency to underestimate the opportunity of catastrophe and consider that life will proceed as regular, even within the face of great threats or crises.” It is why individuals hesitate after fireplace alarms go off or delay reacting in different unfolding conditions as a result of issues nonetheless seem manageable.
As this bias can lead us to mistake familiarity for security and assumptions for proof, it’s more and more getting in the way in which of coping with the cybersecurity actuality. It causes individuals to underestimate the chance of a cyberattack or to interpret an absence of apparent issues or penalties as proof that dangers are underneath management. In observe, many organisations deal with a scarcity of clear alerts from their chosen safety platform(s) as proof that the whole lot is hunky-dory. Others fail to behave shortly sufficient on warning indicators as a result of they assume that enterprise will merely proceed as normal.
In the meantime, regardless of a gradual drumbeat of reports headlines on breaches at organisations like M&S, JLR, and Co-op (and most breaches by no means really make it to the entrance pages), and recommendation from the cybersecurity trade and authorities organisations about the right way to keep away from turning into the subsequent sufferer, the variety of main incidents continues to rise at an eye-watering fee.
The NCSC Annual Evaluation 2025 reported 204 “nationally important” cyberattacks within the 12 months to August 2025, a 130% enhance from the 89 reported within the earlier 12 months. Of 429 whole incidents, 18 had been labeled as “extremely important,” marking a 50% enhance in extreme incidents. Breach charges stay stubbornly excessive, which can mirror a creeping normalisation of breach danger and be seen as normalcy bias at scale: the extra widespread breach disclosures develop into, the much less urgency each could carry.
Classes learnt?
There’s a phrase that’s peddled out by governments and firms alike when a disaster of any sort – together with a cybersecurity breach – happens: “Classes have been learnt”.
However have they? The 130% enhance in important incidents between 2024 and 2025 severely challenges this assertion and factors to classes not being learnt, at a macro stage. Looks like an enormous no!
Final 12 months I wrote a weblog publish which will, partly, clarify the psychological state after a breach. I argued that many corporations are, in a way, each breached and never breached, concurrently, and I likened this case to Schrödinger’s cat. Till you open the field by interrogating logs or actively looking for a compromise, the consolation of “we haven’t been breached” merely displays the truth that no-one has really checked. Actually, this reluctance to look may be normalcy bias quietly doing its work.
“Classes have been learnt” is the aftermath of opening the field, discovering the cat to be (sadly) deceased, after which declaring: “we all know what’s occurred, we’ve obtained a deal with on this, don’t fear”. That is narrative, not proof of a significant change in method.
In contrast, actual studying is a proactive course of that modifications how organisations must behave. This ought to be mirrored in modifications to budgets, insurance policies, guidelines, restoration planning, provider scrutiny, logging, monitoring, coaching, and the tolerance for error, to call only a few issues. And all finished earlier than the inevitable breach takes place. It’s rather more troublesome to hit a shifting goal, in spite of everything.
So, if we are able to settle for that normalcy bias is a standard and human cognitive situation, we are able to progress in the direction of avoiding complacency earlier than a breach and minimise its impression. ‘To err is human’, however now we all know what the failing is, now we have an crucial to behave upon that data – and do issues in another way.
Endgame: what if we nonetheless don’t recognise this bias?
The prison ‘auditors’ are banking on human error. In spite of everything, it’s why phishing continues to be probably the most prevalent ways in which breaches happen.
There are two important methods wherein the endgame performs out in cybersecurity.
Both we usually audit ourselves – run penetration testing, pink/blue/purple group and different assault simulation workout routines, usually re-evaluate the menace panorama, and spend money on our safety provision as a part of our cyber resilience technique.
Or we enable cybercriminals to do the ‘audit’ for us. They depend on a false sense of safety (actually), and that is the chink within the armour they exploit.
Criminals ‘auditing’ you may be brutal, expensive, devastating and, in lots of circumstances, terminal for organisations. That’s the reason this metaphor issues – cybercriminals uncover the hole between what an organisation believes about its safety and what the actuality is.
To place issues into perspective, ESET’s menace intelligence processes 750,000 suspicious samples, analyses 2.5 billion URLs whereas blocking 500,000 of them – each day. Menace actors are relentless, and as their assaults develop into an increasing number of refined, now we have to ditch any thought that we’re impervious. We should settle for that normalcy bias exists and act upon it.
Within the face of quite a few high-profile retail breaches within the UK, ESET performed analysis with 2,000 customers. The ensuing report revealed, amongst different issues, that 46% of customers mentioned it could take them 5+ months to rebuild belief after an information breach. That’s an costly audit! One must do the easy math to estimate the direct monetary harm if that’s all of the senior administration are desirous about. All by itself this could suffice regardless of the actual fact that is typically the tip of a really painful iceberg.
The underside line
A side of normalcy bias that I discover most intriguing is that, regardless of the elevated sophistication, pace, quantity and number of assault vectors we’re all conscious of, our method to cyber resilience methods typically stays rooted prior to now – even whether it is comparatively current previous. However time passes shortly in cybersecurity, and within the 4 or 5 minutes it’s taken you to learn this text, ESET could have processed over 2,000 suspicious samples and scanned approx. 7 million URLs blocking approx.1,500 of them.
When asking why we should always evaluate cybersecurity providers provision, are we accounting for all parameters which have modified (globally in addition to domestically) in the previous few years and the way it might have an effect on our present safety posture?
Proper off the highest of your head, you may most likely title no less than a number of of those:
- Rise of AI-enabled fraud and different threats.
- The warfare in Ukraine.
- Iran.
- Enhance in value of cybercrime worldwide.
- Deepfakes.
- Elevated social engineering assaults.
- Persistence of phishing as the principle assault vector.
- Elevated complexity of cybersecurity options and providers.
- Cyber abilities gaps remaining worryingly extensive.
There are various others, little question. And it’s no coincidence that the extent of safety supplied by distributors just a few quick years in the past is being phased out, and MDR/XDR/MXDR providers and options have gotten the norm.
The prison ‘auditors’ definitely haven’t sat again on their laurels in that point. While the usage of new instruments, like AI, doesn’t essentially imply higher coding, it does allow them to scale assaults massively – and it permits them to scan for vulnerabilities at an unprecedented tempo.
- For those who aren’t investing in auditing, testing, cyber consciousness, and prevention applied sciences, you’re not saving cash – you’re merely outsourcing assurance to the criminals.
- Essentially the most engaged C-suite are with cybersecurity is instantly after a expensive breach – after normalcy is shattered. Make them interact earlier.
- Criminals work 24 hours a day, around the clock with agentic AI by their facet. Are your options resilient sufficient to manage? Test.
- Regardless of the measurement of your organisation, it’s essential to have a look at your cyber profile and resilience consistently.
- Don’t mistake (incident) silence for security – spend money on 24/7 MDR/MXDR providers.
- Now you realize in regards to the ‘normalcy bias’ entice – keep away from it.
