Cognitive Biases and Penetration Testing

by Jeremy Miller

This post first appeared on November 30, 2021 and is republished with permission from the author.

Disclaimer: The ideas below are my own and may not reflect those of OffSec.

Our minds are adapted to maximize human gene replication under an extremely different environment than anyone reading this blog post is living in today. Through many thousands of years of evolution, our brains have developed heuristics to better aid us make decisions that would best serve that evolutionary purpose.

Heuristics are not always bad. For example, we are capable of making snap decisions in stressful situations without spending too much time weighing every conceivable option. However, heuristics are often maladapted to our modern circumstances. They can lead to cognitive biases that impair our reasoning and which reliably produce incorrect results.

Hacking involves thinking, so as security professionals we have an interest in improving the way that our minds work. In this blog post, I will discuss two cognitive biases I have experienced in myself and observed in students: the sunk cost fallacy and confirmation bias.

A Heap of Salt

The purpose of this article is not to help readers self-correct these biases because this isn’t often

Read More: https://www.offensive-security.com/offsec/cognitive-biases-pentest/