Mapping Cognitive Biases in Risk Assessment

Cognitive biases are mental processes that effect our ability to perceive a particular situation based on inputs that we have encountered in the past.  They cause mistakes in reasoning, evaluation, or remembering of a situation, and effect a person’s decision-making.

They can be organized into 4 categories:

  1. Biases that arise from too much information
  2. Biases that arise from not enough meaning
  3. Biases that arise from the need to act quickly
  4. Biases that arise from the limits of memory


Risk assessments “address the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the economic and national security interests of the United States, arising from the operation and use of information systems and the information processed, stored, and transmitted by those systems” -NIST Guide for Conducting Risk Assessments

They are used to identify, prioritize and estimate risks to an organization, its operations and its assets presented by an IT threat.

In a risk assessment, the organization:

  • reviews the threats against your assets (who/what can cause you harm)
  • identifies vulnerabilities (how harm can occur)
  • identifies consequences (what assets can be harmed, and to what degree).


Mapping biases:

Mapping the attributes of what is being measured in a risk assessment to the potential cognitive biases that can arise has powerful implications in the degree of reliability of the risk assessment.  Flagging these biases early on in organizational risk assessment should be a priority for companies to ensure objectivity.

  1. Biases that arise from too much information
  • We notice things already primed in memory or repeated often (to what degree)
  • Bizarre, funny, visually-striking, or anthropomorphic things stick out more than non-bizarre/unfunny things (what assets)
  • We notice when something has changed (how, to what degree)
  • We are drawn to details that confirm our existing beliefs (how, to what degree)
  • We notice flaws in others more easily than we notice flaws in ourselves (who/what)


  1. Biases that arise from not enough meaning
  • We tend to find stories and patterns even when looking at sparse data (what assets)
  • We fill in characteristics from stereotypes, generalities, and prior histories (who/what, how, what assets, what degree)
  • We imagine things and people we’re familiar with or fond of as better (who/what)
  • We simplify probabilities and numbers to make them easier to think about (to what degree)
  • We think we know what other people are thinking (who/what)
  • We project our current mindset and assumptions onto the past and the future (how, to what degree)


  1. Biases that arise from the need to act fast
  • To act, we must be confident we can make and impact and feel what we do is important (how)
  • To stay focused, we favor the immediate, relatable thing in front of us (who/what, what assets)
  • To get things done, we tend to complete things we’ve invested time & energy in (how, to what degree)
  • To avoid mistakes, we aim to preserve autonomy and group status, and avoid irreversible decisions (who/what)
  • We favor simple-looking options and complete information over complex, ambiguous options (what assets, to what degree)


  1. Biases that arise from the limits of memory
  • We edit and reinforce some memories after the fact (how, to what degree)
  • We discard specifics to form generalities (to what degree)
  • We reduce events and lists to their key elements (what assets, to what degree)
  • We store memories differently based on how they were experienced (how)


Taking a team approach to risk assessment is essential as it reduces the amount of influence an individual’s biases may impact the assessment of risk.  Teams should consist of 3-10 competent members selected based on their knowledge, experience and commitment to the effort, and should vary depending on their department and rank.  As these employees become more self-aware of how their biases shape the assessment of risk, they can objectively evaluate whole-system risk and apply best practices to mitigate risks to the organization.