The Reason For All Information Security Woes… Sleep Deprivation

What do casinos, infomercials and computer attackers have in common? They often take advantage of their subjects’ poor judgment when deciding how to spend money. Another common element is that the economic decisions are frequently made when the subjects are sleep-deprived.

Recent Sleep Deprivation Research

A paper by Venkatraman et al. examined how sleep deprivation (SD) affects people’s risk preferences. The research showed that sleep deprivation shifts people’s common inclination to avoid loss towards to pursuing gain. The change accompanies activity in regions of the brain “associated with reward anticipation and emotional processing.” As the result,

"While well rested participants sought to minimize the effect of the worst loss, SD caused the same individuals to be less concerned about losses and to shift to a strategy that improved the magnitude of the best gain."

If we assume that people who make financial decisions in businesses are often sleep deprived, the research implies that such individuals will favor expenses that contribute to potential business growth, rather than spending money to avoid possible losses.

Implications for Information Security

Justifications for information security spending usually focus on loss avoidance. However, sleep-deprived individuals care less about avoiding losses than maximizing gains. Therefore, we should seek to position security as a way of supporting business growth, instead of protecting the business from potential losses due to a security incidents. However, I wonder whether that’s possible in most situations. After all, security is rarely an investment, but rather an expense that is expected to provide cost savings.

I am kidding, of course, about sleep deprivation being the cause of all security woes. Yet, the study should act as a reminder that sometimes people make decisions with the hope of avoiding losses; sometimes, the decisions are made with the hope of increasing gains. Keep this in mind when deciding how to associate information security initiatives with business objectives.

For more thoughts along these lines, see Choice Fatigue Might Affect Information Security Decisions.

Updated July 1, 2015
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more