The Reason For All Information Security Woes… Sleep Deprivation

What do casinos, infomercials and computer attackers have in common? They often take advantage of their subjects’ poor judgment when deciding how to spend money. Another common element is that the economic decisions are frequently made when the subjects are sleep-deprived.

Recent Sleep Deprivation Research

A paper by Venkatraman et al. examined how sleep deprivation (SD) affects people’s risk preferences. The research showed that sleep deprivation shifts people’s common inclination to avoid loss towards to pursuing gain. The change accompanies activity in regions of the brain “associated with reward anticipation and emotional processing.” As the result,

“While well rested participants sought to minimize the effect of the worst loss, SD caused the same individuals to be less concerned about losses and to shift to a strategy that improved the magnitude of the best gain.”

If we assume that people who make financial decisions in businesses are often sleep deprived, the research implies that such individuals will favor expenses that contribute to potential business growth, rather than spending money to avoid possible losses.

Implications for Information Security

Justifications for information security spending usually focus on loss avoidance. However, sleep-deprived individuals care less about avoiding losses than maximizing gains. Therefore, we should seek to position security as a way of supporting business growth, instead of protecting the business from potential losses due to a security incidents. However, I wonder whether that’s possible in most situations. After all, security is rarely an investment, but rather an expense that is expected to provide cost savings.

I am kidding, of course, about sleep deprivation being the cause of all security woes. Yet, the study should act as a reminder that sometimes people make decisions with the hope of avoiding losses; sometimes, the decisions are made with the hope of increasing gains. Keep this in mind when deciding how to associate information security initiatives with business objectives.

For more thoughts along these lines, see Choice Fatigue Might Affect Information Security Decisions.


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more