The Reason For All Information Security Woes… Sleep Deprivation

What do casinos, infomercials and computer attackers have in common? They often take advantage of their subjects’ poor judgment when deciding how to spend money. Another common element is that the economic decisions are frequently made when the subjects are sleep-deprived.

Recent Sleep Deprivation Research

A paper by Venkatraman et al. examined how sleep deprivation (SD) affects people’s risk preferences. The research showed that sleep deprivation shifts people’s common inclination to avoid loss towards to pursuing gain. The change accompanies activity in regions of the brain “associated with reward anticipation and emotional processing.” As the result,

“While well rested participants sought to minimize the effect of the worst loss, SD caused the same individuals to be less concerned about losses and to shift to a strategy that improved the magnitude of the best gain.”

If we assume that people who make financial decisions in businesses are often sleep deprived, the research implies that such individuals will favor expenses that contribute to potential business growth, rather than spending money to avoid possible losses.

Implications for Information Security

Justifications for information security spending usually focus on loss avoidance. However, sleep-deprived individuals care less about avoiding losses than maximizing gains. Therefore, we should seek to position security as a way of supporting business growth, instead of protecting the business from potential losses due to a security incidents. However, I wonder whether that’s possible in most situations. After all, security is rarely an investment, but rather an expense that is expected to provide cost savings.

I am kidding, of course, about sleep deprivation being the cause of all security woes. Yet, the study should act as a reminder that sometimes people make decisions with the hope of avoiding losses; sometimes, the decisions are made with the hope of increasing gains. Keep this in mind when deciding how to associate information security initiatives with business objectives.

For more thoughts along these lines, see Choice Fatigue Might Affect Information Security Decisions.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more