There’s one cognitive bias that we people are liable to, and it lies on the centre of a few of the challenges that cybersecurity professionals face every single day. It’s often known as the normalcy bias – what Dr. Lauren Braithwaite defines as “our tendency to underestimate the opportunity of catastrophe and imagine that life will proceed as regular, even within the face of serious threats or crises.” It is why individuals hesitate after hearth alarms go off or delay reacting in different unfolding conditions as a result of issues nonetheless seem manageable.
As this bias can lead us to mistake familiarity for security and assumptions for proof, it’s more and more getting in the way in which of coping with the cybersecurity actuality. It causes individuals to underestimate the probability of a cyberattack or to interpret an absence of apparent issues or penalties as proof that dangers are underneath management. In follow, many organisations deal with an absence of clear alerts from their chosen safety platform(s) as proof that all the pieces is hunky-dory. Others fail to behave rapidly sufficient on warning indicators as a result of they assume that enterprise will merely proceed as regular.
In the meantime, regardless of a gentle drumbeat of stories headlines on breaches at organisations like M&S, JLR, and Co-op (and most breaches by no means really make it to the entrance pages), and recommendation from the cybersecurity trade and authorities organisations about how you can keep away from changing into the subsequent sufferer, the variety of main incidents continues to rise at an eye-watering fee.
The NCSC Annual Evaluate 2025 reported 204 “nationally important” cyberattacks within the 12 months to August 2025, a 130% improve from the 89 reported within the earlier yr. Of 429 complete incidents, 18 had been categorized as “extremely important,” marking a 50% improve in extreme incidents. Breach charges stay stubbornly excessive, which can replicate a creeping normalisation of breach danger and be seen as normalcy bias at scale: the extra widespread breach disclosures develop into, the much less urgency every one could carry.
Classes learnt?
There’s a phrase that’s peddled out by governments and corporations alike when a disaster of any sort – together with a cybersecurity breach – happens: “Classes have been learnt”.
However have they? The 130% improve in important incidents between 2024 and 2025 severely challenges this assertion and factors to classes not being learnt, at a macro degree. Looks like an enormous no!
Final yr I wrote a weblog submit that will, partially, clarify the psychological state after a breach. I argued that many firms are, in a way, each breached and never breached, concurrently, and I likened this case to Schrödinger’s cat. Till you open the field by interrogating logs or actively trying to find a compromise, the consolation of “we haven’t been breached” merely displays the truth that no-one has really checked. In reality, this reluctance to look is also normalcy bias quietly doing its work.
“Classes have been learnt” is the aftermath of opening the field, discovering the cat to be (sadly) deceased, after which declaring: “we all know what’s occurred, we’ve obtained a deal with on this, don’t fear”. That is narrative, not proof of a significant change in method.
In contrast, actual studying is a proactive course of that modifications how organisations must behave. This needs to be mirrored in modifications to budgets, insurance policies, guidelines, restoration planning, provider scrutiny, logging, monitoring, coaching, and the tolerance for error, to call just some issues. And all accomplished earlier than the inevitable breach takes place. It’s far more troublesome to hit a transferring goal, in any case.
So, if we will settle for that normalcy bias is a typical and human cognitive situation, we will progress in the direction of avoiding complacency earlier than a breach and minimise its impression. ‘To err is human’, however now we all know what the failing is, we now have an crucial to behave upon that data – and do issues in a different way.
Endgame: what if we nonetheless don’t recognise this bias?
The prison ‘auditors’ are banking on human error. In any case, it’s why phishing continues to be one of the vital prevalent ways in which breaches happen.
There are two important methods through which the endgame performs out in cybersecurity.
Both we commonly audit ourselves – run penetration testing, crimson/blue/purple crew and different assault simulation workout routines, commonly re-evaluate the menace panorama, and spend money on our safety provision as a part of our cyber resilience technique.
Or we permit cybercriminals to do the ‘audit’ for us. They depend on a false sense of safety (actually), and that is the chink within the armour they exploit.
Criminals ‘auditing’ you may be brutal, pricey, devastating and, in lots of circumstances, terminal for organisations. That’s the reason this metaphor issues – cybercriminals uncover the hole between what an organisation believes about its safety and what the actuality is.
To place issues into perspective, ESET’s menace intelligence processes 750,000 suspicious samples, analyses 2.5 billion URLs whereas blocking 500,000 of them – every single day. Menace actors are relentless, and as their assaults develop into an increasing number of refined, we now have to ditch any thought that we’re impervious. We should settle for that normalcy bias exists and act upon it.
Within the face of quite a few high-profile retail breaches within the UK, ESET carried out analysis with 2,000 shoppers. The ensuing report revealed, amongst different issues, that 46% of consumers mentioned it might take them 5+ months to rebuild belief after an information breach. That’s an costly audit! One must do the easy math to estimate the direct monetary harm if that’s all of the senior administration are fascinated by. All by itself this could suffice regardless of the very fact that is usually the tip of a really painful iceberg.
The underside line
A side of normalcy bias that I discover most intriguing is that, regardless of the elevated sophistication, pace, quantity and number of assault vectors we’re all conscious of, our method to cyber resilience methods usually stays rooted up to now – even whether it is comparatively current previous. However time passes rapidly in cybersecurity, and within the 4 or 5 minutes it’s taken you to learn this text, ESET could have processed over 2,000 suspicious samples and scanned approx. 7 million URLs blocking approx.1,500 of them.
When asking why we must always assessment cybersecurity companies provision, are we accounting for all parameters which have modified (globally in addition to domestically) in the previous few years and the way it may have an effect on our present safety posture?
Proper off the highest of your head, you may in all probability identify no less than a couple of of those:
- Rise of AI-enabled fraud and different threats.
- The battle in Ukraine.
- Iran.
- Improve in price of cybercrime worldwide.
- Deepfakes.
- Elevated social engineering assaults.
- Persistence of phishing as the principle assault vector.
- Elevated complexity of cybersecurity options and companies.
- Cyber expertise gaps remaining worryingly vast.
There are a lot of others, little question. And it’s no coincidence that the extent of safety provided by distributors just a few quick years in the past is being phased out, and MDR/XDR/MXDR companies and options have gotten the norm.
The prison ‘auditors’ actually haven’t sat again on their laurels in that point. While the usage of new instruments, like AI, doesn’t essentially imply higher coding, it does allow them to scale assaults massively – and it permits them to scan for vulnerabilities at an unprecedented tempo.
- Should you aren’t investing in auditing, testing, cyber consciousness, and prevention applied sciences, you’re not saving cash – you’re merely outsourcing assurance to the criminals.
- Essentially the most engaged C-suite are with cybersecurity is instantly after a pricey breach – after normalcy is shattered. Make them have interaction earlier.
- Criminals work 24 hours a day, around the clock with agentic AI by their aspect. Are your options resilient sufficient to manage? Examine.
- Regardless of the measurement of your organisation, you might want to take a look at your cyber profile and resilience consistently.
- Don’t mistake (incident) silence for security – spend money on 24/7 MDR/MXDR companies.
- Now in regards to the ‘normalcy bias’ lure – keep away from it.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
