Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
UtiliaCS 320x100
970x20 Itcentric
Cognitive Biases and Cybersecurity: The Fatal Fallacy of “I Have Nothing to Hide”

Cognitive Biases and Cybersecurity: The Fatal Fallacy of “I Have Nothing to Hide”

Fabrizio Saviano : 15 November 2025 12:39

In Italy, over 3,000 people lose their lives on the roads every year, despite everyone knowing basic safety rules. In cybercrime, the scenario isn’t all that different: millions of victims every year, even though it’s now well known that suspicious links are traps to be avoided. And if phishing continues to exist in all its forms, that means someone is still falling for it.

So, how can we explain this contradiction? Cognitive biases come into play, mental shortcuts that make us think “A LOT”: “I have nothing to steal,” or “it will never happen to me,” or “I’m always careful,” and so on. This is a fatal error, because anyone can become a gateway to more interesting targets, or a perfect scapegoat for criminal activity, or simply a cybercriminal’s automatic behavior has found a hole in your computer or phone and slipped in.

The “CISO Security Manager Manual” was created to help security professionals understand and address these psychological mechanisms, which undermine even the most advanced technologies.

The illusion of “I have nothing to hide”

Believing you’re not a target for cybercriminals is the riskiest bias. Every user is, in fact, a valuable asset for at least three key reasons:

  • Access Bridge: Every person is connected to networks of close friends, family, and colleagues. Criminals use these chains of trust to reach high-value targets.
  • Scapegoat: Stolen identities are used to carry out fraud, bank account openings, and covert attacks on unsuspecting victims.
  • Credential Source: Recycled passwords and personal data become ammunition for more sophisticated attacks.

But what does road safety teach us?

ISTAT data tell a tragic story: deaths caused by avoidable behaviors such as distracted driving or alcohol abuse, despite decades-long awareness campaigns. So, if people risk their lives by ignoring known rules, why should they comply with seemingly invisible regulations behind a screen?

Anatomy of Biases in Cybersecurity

  • Invulnerability bias: “It will never happen to me.” The brain ignores that criminals seek access and identity, not just wealth.
  • Illusory control bias: “I can recognize an attack, and if it happens, I’ll be careful.” The brain underestimates cunning and the constant updating of threats.
  • Technology delegation bias: “The antivirus, the expert friend, the IT support team will take care of it,” or at least someone/something else. It’s a dangerous illusion: the human factor remains the true weak link.

Although the most powerful supercomputers have processing power and memory superior to the human brain, they cannot replace its intuition, ability to correlate unstructured information, and contextual judgment. The “big lie” of technology is the belief that it will solve every security problem on its own.

What to do in companies?

Be careful! Biases aren’t errors; they’re survival strategies for quickly processing mountains of data. In the real world, they work to save us, but in cyberspace, they can open the door to irreparable disaster.

Indeed, the future is interdisciplinary: technology, psychology, and human behavior must coexist. The challenge is to use biases positively to go beyond simple technical defenses.

  • Design systems that work “with” biases, not against them.
  • Train people in safety by taking into account psychological resistance, not just by informing.
  • Use nudges, not rigid barriers, toward safe behaviors.

To delve deeper into the relationship between the human factor and cybersecurity, the “CISO Security Manager Manual” devotes ample space to these issues, which are fundamental to survival.

Immagine del sitoFabrizio Saviano
Fabrizio Saviano is an Authorized Instructor (ISC)² for CISSP certification, a consultant in IT security and governance, persuasive and cognitive technologies. He holds a degree in Communication Sciences with a specialization in Cognitivism, was a selected agent of the Milan Postal Police intrusion team, CISO of a global bank, and started BT Security in Italy.

Lista degli articoli